Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 1.7
Affects Version/s: 1.7
Component/s: orchestrator-core-plugin
Labels:
- milestone-7
- qe
- triaged

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

The workflow editor sources served statically by the orchestrator backend can only run by configuring the following csp for backstage backend:

 script-src: ["'self'", "'unsafe-inline'", "'unsafe-eval'"] 
 script-src-elem: ["'self'", "'unsafe-inline'", "'unsafe-eval'"] 
 connect-src: ["'self'", 'http:', 'https:', 'data:']

See:
https://github.com/parodos-dev/orchestrator-helm-chart/blob/main/charts/orchestrator/templates/rhdh-operator.yaml#L86

This exposed the users to security threats.

account is impacted by

FLPATH-2410 RHDH-Local UI Not Rendering Workflow Definition

Closed

is duplicated by

FLPATH-2410 RHDH-Local UI Not Rendering Workflow Definition

Closed

is related to

FLPATH-2410 RHDH-Local UI Not Rendering Workflow Definition

Closed

relates to

FLPATH-2630 [1.7] Orchestrator workflow definition pane is blank

Closed

links to

Upstream (sonataflow) issue

(1 links to)

Assignee:: Marek Libra

Reporter:: Marek Libra

QA Contact:: Yona First

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2024/05/21 5:28 PM

Updated:: 2025/09/01 2:28 PM

Resolved:: 2025/09/01 2:28 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates