Loading...

XML

Word

Printable

Type: Story
Resolution: Done
Priority: Critical
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
None

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Epic Link:
OCP 4.18 - Content Security Policy implementation
Story Points:
2

Target Version:
None
Release Blocker:
None
Sprint:
HAC Infra OCP - Sprint 262

Console HTML index template contains an inline script tag used to set up SERVER_FLAGS and visual theme config.

This inline script tag triggers a CSP violation at Console runtime (see attachment for details).

The proper way to address this error is to allow this script tag - either generate a SHA hash representing its contents or generate a cryptographically secure random token for the script.

AC:

There is no CSP violation reported for inline script tag.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

csp-inline-script-tag.png
45 kB
2024/09/10 2:49 PM

links to

openshift/console#14156: CONSOLE-4263: Add initial Content Security Policy for Console web application

openshift/console#14400: CONSOLE-4266: Fix CSP inline script tag error in Console HTML template

Assignee:: Vojtech Szocs

Reporter:: Jakub Hadvig

Need Info From:: None

Contributors:: None

QA Contact:: YaDan Pei

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2024/09/10 1:26 PM

Updated:: 2024/11/18 1:57 AM

Resolved:: 2024/11/18 1:57 AM