[
https://issues.apache.org/jira/browse/DRILL-7642?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Igor Guzenko updated DRILL-7642:
--------------------------------
Description:
Application of *Content-Security-Policy* response header with value
'*default-src https:*' breaks down numerous components in Drill Web UI. The
main reason for the failures is the inline code used widely in Web UI.
According to web security best practices, such code is [considered
harmful|https://developers.google.com/web/fundamentals/security/csp#inline_code_is_considered_harmful]
and should be avoided. In order to make UI work, we can apply the only header:
{code}
"Content-Security-Policy": "default-src https:; script-src
'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data:
https:; img-src data: https:"
{code}
Which isn't as strict as necessary. Therefore it is necessary to rewrite all
places where inline code is used and ensure that CSP header can provide really
strict rules for securing web pages.
was:
Application of *Content-Security-Policy* response header with value
*default-src https:* breaks down numerous components in Drill Web UI. The main
reason for the failures is the inline code used widely in Web UI. According to
web security best practices, such code is [considered
harmful|https://developers.google.com/web/fundamentals/security/csp#inline_code_is_considered_harmful]
and should be avoided. In order to make UI work, we can apply the only header:
{code}
"Content-Security-Policy": "default-src https:; script-src
'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data:
https:; img-src data: https:"
{code}
Which isn't as strict as necessary. Therefore it is necessary to rewrite all
places where inline code is used and ensure that CSP header can provide really
strict rules for securing web pages.
> Get rid of Web UI inline code to improve security
> --------------------------------------------------
>
> Key: DRILL-7642
> URL: https://issues.apache.org/jira/browse/DRILL-7642
> Project: Apache Drill
> Issue Type: Improvement
> Components: Security, Web Server
> Reporter: Igor Guzenko
> Priority: Major
>
> Application of *Content-Security-Policy* response header with value
> '*default-src https:*' breaks down numerous components in Drill Web UI. The
> main reason for the failures is the inline code used widely in Web UI.
> According to web security best practices, such code is [considered
> harmful|https://developers.google.com/web/fundamentals/security/csp#inline_code_is_considered_harmful]
> and should be avoided. In order to make UI work, we can apply the only
> header:
> {code}
> "Content-Security-Policy": "default-src https:; script-src
> 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data:
> https:; img-src data: https:"
> {code}
> Which isn't as strict as necessary. Therefore it is necessary to rewrite all
> places where inline code is used and ensure that CSP header can provide
> really strict rules for securing web pages.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
