tine20 0013168: set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"

0013168: set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"

Open Gloirin opened this issue 6 years ago • 3 comments

Reported by JPRuehmann on 2 Jun 2017 08:21

Version: 2017.02.3 Community Edition

Is there a way to run Tine without 'unsafe-inline' 'unsafe-eval'?

Steps to reproduce: Run apache with "Header set Content-Security-Policy "default-src 'self'"" in the site config, That is the propsed default from Mozilla Observer.

Jun 09 '18 17:06 Gloirin

Comment posted by pschuele on 12 Jun 2017 10:21

you could try adding the header here: Tinebase_Frontend_Http::_setMainscreenHeaders (file tine20/Tinebase/Frontend/Http.php line ~ 286)

... and send us a patch if it works for you.

Jun 11 '18 10:06 Gloirin

Comment posted by JPRuehmann on 12 Jun 2017 10:42

Thanks, I don´t know enough to add this without completely destroy Tine, Sorry. Could you give me a diff so I can see the difference between how it looks now and how it should look afterwards? Thanks

Jun 11 '18 10:06 Gloirin

CSP can be dangerous. Start with the reporting-only mode for CSP.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only

Jul 11 '19 18:07 DanielRuf

tine20 tine20 copied to clipboard

0013168: set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"

tine20
tine20 copied to clipboard