[Geoserver-devel] [JIRA] (GEOS-10653) Compatibility of Geoserver management interface with strict and secure CSP-headers

Wim DGGroep created an issue

GeoServer / ImprovementGEOS-10653

Compatibility of Geoserver management interface with strict and secure CSP-headers

Issue Type:

ImprovementImprovement

Affects Versions:

2.20.4

Assignee:

Unassigned

Components:

Security

Created:

15/Sep/22 4:19 PM

Environment:

Windows server, Tomcat application platform.

Priority:

MediumMedium

Reporter:

Wim DGGroep

Our organization’s security policy requires the setting of Content Security Policy (CSP)-headers in Tomcat. The Geoserver management interface however is not compatible with strict and save CSP-headers. In order for the geoserver management interface to be able to function the following CSP-headers must be set:

{{default-src ‘none’;
script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’;
connect-src ‘self’;
img-src ‘self’ data:;
style-src ‘self’ ‘unsafe-inline’;
base-uri ‘self’;
form-action ‘self’;
frame-ancestors ‘self’;
block-all-mixed-content;
frame-src ‘self’}}

The unsafe headers are the ones related to the script-src, Unsafe-inline and Unsafe-eval are necessary, otherwise the Geoserver-management interface stops functioning on certain aspects (like, for example: adding a new SQL-view).

The unsafe headers alas weaken the website’s protection against cross-site scripting attacks.

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100207-sha1:4ec4822)

Atlassian logo