Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Remote Application Platform (RAP) » RAP and Content Security Policy
RAP and Content Security Policy [message #1820908] Fri, 31 January 2020 12:09 Go to next message
Georg Breitschopf is currently offline Georg BreitschopfFriend
Messages: 3
Registered: July 2018
Junior Member
I am currently working on a content security policy (CSP) for our RAP based application. Unfortunately, I could not find any resources regarding CSP and RAP. So, I started to define the policy step-by-step based on the errors reported in the browser and came up with the following policy which seems to work (at least no errors occurred during testing):
default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'


However, this means that the policy needs to allow unsafe inline style attributes and script tag bodies as well as unsafe dynamic code evaluation (e.g. text-to-JavaScript mechanisms such as JavaScript eval()). Unfortunately, RAP is using such constructs.

Obviously, this is not a safe policy. Does anyone have experience regarding CSP and RAP? Are there any recommendations or best practices regarding CSP and RAP? Are there any plans to improve the RAP source code in order to be able to define a safe policy?
Re: RAP and Content Security Policy [message #1834797 is a reply to message #1820908] Wed, 18 November 2020 07:27 Go to previous messageGo to next message
Amol Chandurkar is currently offline Amol ChandurkarFriend
Messages: 5
Registered: December 2011
Junior Member
I am also facing same issue. Is there any solution to this issue.
Re: RAP and Content Security Policy [message #1836546 is a reply to message #1834797] Thu, 07 January 2021 09:20 Go to previous messageGo to next message
Ivan Furnadjiev is currently offline Ivan FurnadjievFriend
Messages: 2426
Registered: July 2009
Location: Sofia, Bulgaria
Senior Member
Hi,

RAP is using JavaScript eval() in several places - for supporting Browser#evaluate and JavaScriptExecutor service. Unfortunately, there is no other way to support these features.

Regards,
Ivan
Re: RAP and Content Security Policy [message #1841223 is a reply to message #1836546] Fri, 07 May 2021 03:24 Go to previous messageGo to next message
Amol Chandurkar is currently offline Amol ChandurkarFriend
Messages: 5
Registered: December 2011
Junior Member
Hi,
Is there any plan to fix this issue ? if yes by when and in which release.

Thanks & Regards,
Amol
Re: RAP and Content Security Policy [message #1850293 is a reply to message #1836546] Thu, 24 February 2022 10:19 Go to previous messageGo to next message
Sebastien Arod is currently offline Sebastien ArodFriend
Messages: 41
Registered: July 2009
Member
Hi Ivan,

We want to implement CSP with RAP too.

We'd like to implement it in a way that it's providing a strong additional mitigation layer against XSS attacks. However the src-script directive configuration that is currently required to run RAP (script-src 'self' 'unsafe-inline' 'unsafe-eval';) is too permissive.
CSP Evaluator allows to evaluate a CSP config and currently rates scripts-src values as follows:

  • 'unsafe-inline' as High severity: Quote:
    'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.

  • 'self' as Possible medium severity finding: Quote:
    'self' can be problematic if you host JSONP, Angular or user uploaded files.

  • 'unsafe-eval' as Possible medium severity finding: Quote:
    'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().



About 'unsafe-inline'
In order to suppress the need for unsafe-inline (and even 'self') it looks like org.eclipse.rap.rwt.internal.service.StartupPage could be modified to support injecting a nonce value on script tags. (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#nonce-base64-value).

This would be a big step forward compared to using 'unsafe-inline'.
Do you see a problem with this approach? Should I create a feature request to track this?

About 'unsafe-eval'
I understand from previous email that there is no way to avoid using eval to support Browser.evaluate and JavascriptExecutor features.
However if our code does not use those features do you think there are other features that still need eval?
Re: RAP and Content Security Policy [message #1850375 is a reply to message #1850293] Mon, 28 February 2022 09:05 Go to previous messageGo to next message
Ivan Furnadjiev is currently offline Ivan FurnadjievFriend
Messages: 2426
Registered: July 2009
Location: Sofia, Bulgaria
Senior Member
Hi Sebastien,

the "eval" is used by Browser widget, client scripting and JavaScriptExecutor. No other RAP client-side code requires the usage of "eval". What is your suggestion here?

Please open an enhancement request and create Gerrit changes with suggestions to improve the framework in this direction.

Best regards,
Ivan

[Updated on: Tue, 01 March 2022 09:40]

Report message to a moderator

Re: RAP and Content Security Policy [message #1850396 is a reply to message #1850375] Tue, 01 March 2022 09:47 Go to previous messageGo to next message
Ivan Furnadjiev is currently offline Ivan FurnadjievFriend
Messages: 2426
Registered: July 2009
Location: Sofia, Bulgaria
Senior Member
Hi,

Just a small addition - BrowserFunction implementation is also based on javascript "eval" call.

Regards,
Ivan
Re: RAP and Content Security Policy [message #1850397 is a reply to message #1850293] Tue, 01 March 2022 10:44 Go to previous messageGo to next message
Ivan Furnadjiev is currently offline Ivan FurnadjievFriend
Messages: 2426
Registered: July 2009
Location: Sofia, Bulgaria
Senior Member
Sebastien,

RAP framework is using 2 scripts by default:
1. inline script in rwt-index.html
2. RAP javascript client

We can add "nonce" attribute to them with predefined values in order to be used in the CSP. What do you think? For all other JS libraries registered in StartupPage we can also add "nonce" attribute with some kind of hash from the path.

But.... it will be better to open an enhancement request and continue the discussion there with your suggestions too.

Best regards,
Ivan

[Updated on: Tue, 01 March 2022 11:38]

Report message to a moderator

Re: RAP and Content Security Policy [message #1850463 is a reply to message #1850397] Thu, 03 March 2022 16:40 Go to previous message
Sebastien Arod is currently offline Sebastien ArodFriend
Messages: 41
Registered: July 2009
Member
Thanks for your feedback. I opened https://bugs.eclipse.org/bugs/show_bug.cgi?id=579074
Previous Topic:Nebula RichTextEditor not working on Apache Tomcat (Java 11)
Next Topic:job request
Goto Forum:
  


Current Time: Fri Jun 21 08:56:56 GMT 2024

Powered by FUDForum. Page generated in 0.03860 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top