[
https://issues.apache.org/jira/browse/DRILL-7642?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Arina Ielchiieva updated DRILL-7642:
------------------------------------
Affects Version/s: 1.17.0
> Get rid of Web UI inline code to improve security
> --------------------------------------------------
>
> Key: DRILL-7642
> URL: https://issues.apache.org/jira/browse/DRILL-7642
> Project: Apache Drill
> Issue Type: Improvement
> Components: Security, Web Server
> Affects Versions: 1.17.0
> Reporter: Igor Guzenko
> Priority: Major
> Fix For: Future
>
>
> Application of *Content-Security-Policy* response header with value
> '*default-src https:*' breaks down numerous components in Drill Web UI. The
> main reason for the failures is the inline code used widely in Web UI.
> According to web security best practices, such code is [considered
> harmful|https://developers.google.com/web/fundamentals/security/csp#inline_code_is_considered_harmful]
> and should be avoided. In order to make UI work, we can apply the only
> header:
> {code}
> "Content-Security-Policy": "default-src https:; script-src
> 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data:
> https:; img-src data: https:"
> {code}
> Which isn't as strict as necessary. Therefore it is necessary to rewrite all
> places where inline code is used and ensure that CSP header can provide
> really strict rules for securing web pages.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
