Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-60865

Content Security Policy: smooth introduction

    XMLWordPrintable

    Details

    • Type: Epic
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: core
    • Labels:
      None
    • Epic Name:
      CSP smooth introduction
    • Similar Issues:

      Description

      Objective of this Epic: introducing the Content Security Policy (reference).

      Without entering too much into details, to achieve a good CSP protection, we need to create a whitelist of URL that are approved (could be same-origin) for static content (CSS / JavaScript) or/and a list of whitelisted / authorized content. Adding a content (using its hash) to the whitelist has the drawback to add weight on every response.

      The advantage of that set of headers is to prevent a large number of XSS threats. The mechanism will prevent the execution of unauthorized scripts and styles.

      To achieve this migration with as little pain as possible, here are the proposed steps:
      1) Moving inline scripts / styles to their own file or equivalent
      2) Put in a place sort of a reporting / monitoring tooling inside Jenkins to know when a rule is broken
      3) Once we are sufficiently confident we have covered all the cases, enforce the rules.

      The points 1 and 2 will already help in prevent "direct" XSS where variables are injected in the code directly. That will also clean up a bit the different (and weird) ways to inject variables into JavaScript / CSS.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            wfollonier Wadeck Follonier
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: