Skip to main content


Eclipse Community Forums

      Home
Home » Eclipse Projects » Remote Application Platform (RAP) » RAP and Content Security Policy
RAP and Content Security Policy [message #1820908] Fri, 31 January 2020 07:09 Go to next message
Eclipse UserFriend
I am currently working on a content security policy (CSP) for our RAP based application. Unfortunately, I could not find any resources regarding CSP and RAP. So, I started to define the policy step-by-step based on the errors reported in the browser and came up with the following policy which seems to work (at least no errors occurred during testing):
default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'


However, this means that the policy needs to allow unsafe inline style attributes and script tag bodies as well as unsafe dynamic code evaluation (e.g. text-to-JavaScript mechanisms such as JavaScript eval()). Unfortunately, RAP is using such constructs.

Obviously, this is not a safe policy. Does anyone have experience regarding CSP and RAP? Are there any recommendations or best practices regarding CSP and RAP? Are there any plans to improve the RAP source code in order to be able to define a safe policy?
Re: RAP and Content Security Policy [message #1834797 is a reply to message #1820908] Wed, 18 November 2020 02:27 Go to previous messageGo to next message
Eclipse UserFriend
I am also facing same issue. Is there any solution to this issue.
Re: RAP and Content Security Policy [message #1836546 is a reply to message #1834797] Thu, 07 January 2021 04:20 Go to previous messageGo to next message
Eclipse UserFriend
Hi,

RAP is using JavaScript eval() in several places - for supporting Browser#evaluate and JavaScriptExecutor service. Unfortunately, there is no other way to support these features.

Regards,
Ivan
Re: RAP and Content Security Policy [message #1841223 is a reply to message #1836546] Thu, 06 May 2021 23:24 Go to previous messageGo to next message
Eclipse UserFriend
Hi,
Is there any plan to fix this issue ? if yes by when and in which release.

Thanks & Regards,
Amol
Re: RAP and Content Security Policy [message #1850293 is a reply to message #1836546] Thu, 24 February 2022 05:19 Go to previous messageGo to next message
Eclipse UserFriend
Hi Ivan,

We want to implement CSP with RAP too.

We'd like to implement it in a way that it's providing a strong additional mitigation layer against XSS attacks. However the src-script directive configuration that is currently required to run RAP (script-src 'self' 'unsafe-inline' 'unsafe-eval';) is too permissive.
CSP Evaluator allows to evaluate a CSP config and currently rates scripts-src values as follows:

  • 'unsafe-inline' as High severity: Quote:
    'unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.

  • 'self' as Possible medium severity finding: Quote:
    'self' can be problematic if you host JSONP, Angular or user uploaded files.

  • 'unsafe-eval' as Possible medium severity finding: Quote:
    'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().



About 'unsafe-inline'
In order to suppress the need for unsafe-inline (and even 'self') it looks like org.eclipse.rap.rwt.internal.service.StartupPage could be modified to support injecting a nonce value on script tags. (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#nonce-base64-value).

This would be a big step forward compared to using 'unsafe-inline'.
Do you see a problem with this approach? Should I create a feature request to track this?

About 'unsafe-eval'
I understand from previous email that there is no way to avoid using eval to support Browser.evaluate and JavascriptExecutor features.
However if our code does not use those features do you think there are other features that still need eval?
Re: RAP and Content Security Policy [message #1850375 is a reply to message #1850293] Mon, 28 February 2022 04:05 Go to previous messageGo to next message
Eclipse UserFriend
Hi Sebastien,

the "eval" is used by Browser widget, client scripting and JavaScriptExecutor. No other RAP client-side code requires the usage of "eval". What is your suggestion here?

Please open an enhancement request and create Gerrit changes with suggestions to improve the framework in this direction.

Best regards,
Ivan

[Updated on: Tue, 01 March 2022 04:40] by Moderator

Re: RAP and Content Security Policy [message #1850396 is a reply to message #1850375] Tue, 01 March 2022 04:47 Go to previous messageGo to next message
Eclipse UserFriend
Hi,

Just a small addition - BrowserFunction implementation is also based on javascript "eval" call.

Regards,
Ivan
Re: RAP and Content Security Policy [message #1850397 is a reply to message #1850293] Tue, 01 March 2022 05:44 Go to previous messageGo to next message
Eclipse UserFriend
Sebastien,

RAP framework is using 2 scripts by default:
1. inline script in rwt-index.html
2. RAP javascript client

We can add "nonce" attribute to them with predefined values in order to be used in the CSP. What do you think? For all other JS libraries registered in StartupPage we can also add "nonce" attribute with some kind of hash from the path.

But.... it will be better to open an enhancement request and continue the discussion there with your suggestions too.

Best regards,
Ivan

[Updated on: Tue, 01 March 2022 06:38] by Moderator

Re: RAP and Content Security Policy [message #1850463 is a reply to message #1850397] Thu, 03 March 2022 11:40 Go to previous message
Eclipse UserFriend
Thanks for your feedback. I opened https://bugs.eclipse.org/bugs/show_bug.cgi?id=579074
Previous Topic:Nebula RichTextEditor not working on Apache Tomcat (Java 11)
Next Topic:job request
Goto Forum:
  


Current Time: Tue Jun 17 14:13:55 EDT 2025

Powered by FUDForum. Page generated in 0.04196 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly