jive
November 12, 2024, 10:46pm
1
The following proposal is ready for voting:
This proposal reflects the gradual ongoing change in our codebase to introduce content-security-policy headers to block browser use of inline style and inline JavaScript.
This motion is held open until November 18th with the following support. The work discussed is available as [GEOS-11346] Add a configurable Content-Security-Policy header by sikeoka · Pull Request #7514 · geoserver/geoserver · GitHub for those interested.
Project Steering Committee:
Alessio Fabiani:
Andrea Aime:
Ian Turton:
Jody Garnett: +1
Jukka Rahkonen:
Kevin Smith:
Simone Giannecchini:
Torben Barsballe:
Nuno Oliveira:
Peter Smythe:
Community support:
According to our voting rules :
“Voting remains open for ten days or until all PSC members have cast their vote.”
This is the first mail I see requesting a vote about GSIP 227, so, voting open until November 22nd.
For those that are wondering what CSP even is, I’ve found this page useful:
Follow our guide on how to set up a Content Security Policy (CSP) for your website. We'll include common directives for you to mix and match along with security header examples.
Est. reading time: 12 minutes
Also, the GSIP is a retrofit of a pull request that has been opened for a while and subject to a number of simplification rounds, making sure we’re not asking administrators to setup the CSP headers manually, unless they want to change something.
In particular, the PR documentation updates indicate the default CSP configuration, here:
geoserver:main
← sikeoka:GEOS-11346
opened 03:04PM - 26 Mar 24 UTC
[![GEOS-11346](https://badgen.net/badge/JIRA/GEOS-11346/0052CC)](https://osgeo-o… rg.atlassian.net/browse/GEOS-11346) [<img width="16" alt="Powered by Pull Request Badge" src="https://user-images.githubusercontent.com/1393946/111216524-d2bb8e00-85d4-11eb-821b-ed4c00989c02.png">](https://pullrequestbadge.com/?utm_medium=github&utm_source=geoserver&utm_campaign=badge_info)
This PR adds the Content-Security-Policy header to GeoServer responses based on the request path and query and server properties, a default configuration that should support existing GeoServer functionality, a web interface for administrators to update the configuration and documentation updates. This PR is **NOT** intended to be backported.
The primary benefit of this work is to provide mitigations for security issues with WMS GetFeatureInfo HTML templates (also applies to the new WFS GetFeature HTML output), static HTML files and the OGC API community modules and to encourage developers contributing new HTML functionality to follow more secure coding practices.
<!-- Please help our volunteers reviewing this PR by completing the following items.
Ask in a comment if you have troubles with any of them. -->
# Checklist
- [x] I have read the [contribution guidelines](https://github.com/geoserver/geoserver/blob/main/CONTRIBUTING.md).
- [x] I have sent a [Contribution Licence Agreement](https://docs.geoserver.org/latest/en/developer/policies/committing.html) (not required for small changes, e.g., fixing typos in documentation).
- [x] First PR targets the `main` branch (backports managed later; ignore for branch specific issues).
- [x] All the build checks are green ([see automated QA checks](https://docs.geoserver.org/latest/en/developer/qa-guide/index.html)).
For core and extension modules:
- [x] New unit tests have been added covering the changes.
- [x] [Documentation](https://github.com/geoserver/geoserver/tree/main/doc/en/user/source) has been updated (if change is visible to end users).
- [ ] The [REST API docs](https://github.com/geoserver/geoserver/tree/main/doc/en/api/1.0.0) have been updated (when changing configuration objects or the REST controllers).
- [x] There is an issue in the [GeoServer Jira](https://osgeo-org.atlassian.net/browse/GEOS/summary) (except for changes that do not affect administrators or end users in any way).
- [x] Commit message(s) must be in the form ``[GEOS-XYZWV] Title of the Jira ticket``.
- [x] Bug fixes and small new features are presented as a single commit.
- [x] Each commit has a single objective (if there are multiple commits, each has a separate JIRA ticket describing its goal).
I have to admit my grasp over this is still weak, but it’s much more understandable than it was when it first came out. I wish I could vote +0.5? ROFL.
I’ll round it up to +1, there!
Cheers
Andrea
jive
November 13, 2024, 6:13pm
4
Thanks Andrea, I have updated the proposal with the link you provided.
I am +1 based on the reduction in vulnerability score for any future CVE issues. If this policy was in place several of our recent vulnerabilities would have scored lower, or been adverted.
+1
Cheers,
Torben
On Tue, Nov 12, 2024 at 2:48 PM Jody Garnett via OSGeo Discourse <noreply@discourse.osgeo.org > wrote:
jive Leader November 12
The following proposal is ready for voting:
This proposal reflects the gradual ongoing change in our codebase to introduce content-security-policy headers to block browser use of inline style and inline JavaScript.
This motion is held open until November 18th with the following support. The work discussed is available as [GEOS-11346] Add a configurable Content-Security-Policy header by sikeoka · Pull Request #7514 · geoserver/geoserver · GitHub for those interested.
Project Steering Committee:
Alessio Fabiani:
Andrea Aime:
Ian Turton:
Jody Garnett: +1
Jukka Rahkonen:
Kevin Smith:
Simone Giannecchini:
Torben Barsballe:
Nuno Oliveira:
Peter Smythe:
Community support:
Visit Topic or reply to this email to respond.
You are receiving this because you enabled mailing list mode.
To unsubscribe from these emails, click here .
jive
November 19, 2024, 10:29pm
7
Welcome to discourse Kevin, and thanks for joining us here.
The GSIP is updated with your vote.