Eclipse Community Forums: Remote Application Platform (RAP)

Help

Home

Home » Eclipse Projects » Remote Application Platform (RAP) » RAP and Content Security Policy

Show: Today's Messages :: Show Polls :: Message Navigator

RAP and Content Security Policy [message #1820908]

Fri, 31 January 2020 12:09

Georg Breitschopf

Messages: 3
Registered: July 2018

Junior Member

I am currently working on a content security policy (CSP) for our RAP based application. Unfortunately, I could not find any resources regarding CSP and RAP. So, I started to define the policy step-by-step based on the errors reported in the browser and came up with the following policy which seems to work (at least no errors occurred during testing):

default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'

However, this means that the policy needs to allow unsafe inline style attributes and script tag bodies as well as unsafe dynamic code evaluation (e.g. text-to-JavaScript mechanisms such as JavaScript eval()). Unfortunately, RAP is using such constructs.

Obviously, this is not a safe policy. Does anyone have experience regarding CSP and RAP? Are there any recommendations or best practices regarding CSP and RAP? Are there any plans to improve the RAP source code in order to be able to define a safe policy?

Report message to a moderator

Re: RAP and Content Security Policy [message #1834797 is a reply to message #1820908]

Wed, 18 November 2020 07:27

Amol Chandurkar

Messages: 5
Registered: December 2011

Junior Member

I am also facing same issue. Is there any solution to this issue.

Report message to a moderator

Re: RAP and Content Security Policy [message #1836546 is a reply to message #1834797]

Thu, 07 January 2021 09:20

Ivan Furnadjiev

Messages: 2427
Registered: July 2009
Location: Sofia, Bulgaria

Senior Member

Hi,

RAP is using JavaScript eval() in several places - for supporting Browser#evaluate and JavaScriptExecutor service. Unfortunately, there is no other way to support these features.

Regards,
Ivan

Report message to a moderator

Re: RAP and Content Security Policy [message #1841223 is a reply to message #1836546]

Fri, 07 May 2021 03:24

Amol Chandurkar

Messages: 5
Registered: December 2011

Junior Member

Hi,
Is there any plan to fix this issue ? if yes by when and in which release.

Thanks & Regards,
Amol

Report message to a moderator

Re: RAP and Content Security Policy [message #1850293 is a reply to message #1836546]

Thu, 24 February 2022 10:19

Sebastien Arod

Messages: 41
Registered: July 2009

Member

Hi Ivan,

We want to implement CSP with RAP too.

We'd like to implement it in a way that it's providing a strong additional mitigation layer against XSS attacks. However the src-script directive configuration that is currently required to run RAP (script-src 'self' 'unsafe-inline' 'unsafe-eval';) is too permissive.
CSP Evaluator allows to evaluate a CSP config and currently rates scripts-src values as follows:

'unsafe-inline' as High severity: Quote:
'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.
'self' as Possible medium severity finding: Quote:
'self' can be problematic if you host JSONP, Angular or user uploaded files.
'unsafe-eval' as Possible medium severity finding: Quote:
'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().

About 'unsafe-inline'
In order to suppress the need for unsafe-inline (and even 'self') it looks like org.eclipse.rap.rwt.internal.service.StartupPage could be modified to support injecting a nonce value on script tags. (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#nonce-base64-value).

This would be a big step forward compared to using 'unsafe-inline'.
Do you see a problem with this approach? Should I create a feature request to track this?

About 'unsafe-eval'
I understand from previous email that there is no way to avoid using eval to support Browser.evaluate and JavascriptExecutor features.
However if our code does not use those features do you think there are other features that still need eval?

Report message to a moderator

Re: RAP and Content Security Policy [message #1850375 is a reply to message #1850293]

Mon, 28 February 2022 09:05

Ivan Furnadjiev

Messages: 2427
Registered: July 2009
Location: Sofia, Bulgaria

Senior Member

Hi Sebastien,

the "eval" is used by Browser widget, client scripting and JavaScriptExecutor. No other RAP client-side code requires the usage of "eval". What is your suggestion here?

Please open an enhancement request and create Gerrit changes with suggestions to improve the framework in this direction.

Best regards,
Ivan

[Updated on: Tue, 01 March 2022 09:40]

Report message to a moderator

Re: RAP and Content Security Policy [message #1850396 is a reply to message #1850375]

Tue, 01 March 2022 09:47

Ivan Furnadjiev

Messages: 2427
Registered: July 2009
Location: Sofia, Bulgaria

Senior Member

Hi,

Just a small addition - BrowserFunction implementation is also based on javascript "eval" call.

Regards,
Ivan

Report message to a moderator

Re: RAP and Content Security Policy [message #1850397 is a reply to message #1850293]

Tue, 01 March 2022 10:44

Ivan Furnadjiev

Messages: 2427
Registered: July 2009
Location: Sofia, Bulgaria

Senior Member

Sebastien,

RAP framework is using 2 scripts by default:
1. inline script in rwt-index.html
2. RAP javascript client

We can add "nonce" attribute to them with predefined values in order to be used in the CSP. What do you think? For all other JS libraries registered in StartupPage we can also add "nonce" attribute with some kind of hash from the path.

But.... it will be better to open an enhancement request and continue the discussion there with your suggestions too.

Best regards,
Ivan

[Updated on: Tue, 01 March 2022 11:38]

Report message to a moderator