Wim DGGroep created an issue |
Compatibility of Geoserver management interface with strict and secure CSP-headers |
Issue Type: |
Improvement |
---|---|
Affects Versions: |
2.20.4 |
Assignee: |
Unassigned |
Components: |
Security |
Created: |
15/Sep/22 4:19 PM |
Environment: |
Windows server, Tomcat application platform. |
Priority: |
Medium |
Reporter: |
Our organization’s security policy requires the setting of Content Security Policy (CSP)-headers in Tomcat. The Geoserver management interface however is not compatible with strict and save CSP-headers. In order for the geoserver management interface to be able to function the following CSP-headers must be set: {{default-src ‘none’; The unsafe headers are the ones related to the script-src, Unsafe-inline and Unsafe-eval are necessary, otherwise the Geoserver-management interface stops functioning on certain aspects (like, for example: adding a new SQL-view). The unsafe headers alas weaken the website’s protection against cross-site scripting attacks. |
Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS |
|
This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100207-sha1:4ec4822) |