GSIP-227: Content-Security-Policy Headers

The following proposal is ready for voting:

This proposal reflects the gradual ongoing change in our codebase to introduce content-security-policy headers to block browser use of inline style and inline JavaScript.

This motion is held open until November 18th with the following support. The work discussed is available as [GEOS-11346] Add a configurable Content-Security-Policy header by sikeoka · Pull Request #7514 · geoserver/geoserver · GitHub for those interested.

Project Steering Committee:

  • Alessio Fabiani:
  • Andrea Aime:
  • Ian Turton:
  • Jody Garnett: +1
  • Jukka Rahkonen:
  • Kevin Smith:
  • Simone Giannecchini:
  • Torben Barsballe:
  • Nuno Oliveira:
  • Peter Smythe:

Community support:

  • Steve Ikeoka

According to our voting rules:

“Voting remains open for ten days or until all PSC members have cast their vote.”

This is the first mail I see requesting a vote about GSIP 227, so, voting open until November 22nd.

For those that are wondering what CSP even is, I’ve found this page useful:

Also, the GSIP is a retrofit of a pull request that has been opened for a while and subject to a number of simplification rounds, making sure we’re not asking administrators to setup the CSP headers manually, unless they want to change something.

In particular, the PR documentation updates indicate the default CSP configuration, here:

I have to admit my grasp over this is still weak, but it’s much more understandable than it was when it first came out. I wish I could vote +0.5? ROFL.

I’ll round it up to +1, there!

Cheers
Andrea

+0

Thanks Andrea, I have updated the proposal with the link you provided.

I am +1 based on the reduction in vulnerability score for any future CVE issues. If this policy was in place several of our recent vulnerabilities would have scored lower, or been adverted.

+1

Cheers,
Torben

On Tue, Nov 12, 2024 at 2:48 PM Jody Garnett via OSGeo Discourse <noreply@discourse.osgeo.org> wrote:

jive Leader
November 12

The following proposal is ready for voting:

This proposal reflects the gradual ongoing change in our codebase to introduce content-security-policy headers to block browser use of inline style and inline JavaScript.

This motion is held open until November 18th with the following support. The work discussed is available as [GEOS-11346] Add a configurable Content-Security-Policy header by sikeoka · Pull Request #7514 · geoserver/geoserver · GitHub for those interested.

Project Steering Committee:

  • Alessio Fabiani:
  • Andrea Aime:
  • Ian Turton:
  • Jody Garnett: +1
  • Jukka Rahkonen:
  • Kevin Smith:
  • Simone Giannecchini:
  • Torben Barsballe:
  • Nuno Oliveira:
  • Peter Smythe:

Community support:

  • Steve Ikeoka

Visit Topic or reply to this email to respond.

You are receiving this because you enabled mailing list mode.

To unsubscribe from these emails, click here.

+1

Welcome to discourse Kevin, and thanks for joining us here.

The GSIP is updated with your vote.

My late +1 vote.

-Jukka Rahkonen-