The use of 'unsafe-inline' or 'unsafe-eval' or '*' in the Content-Security-Policy lines of manifest.json files is the equivalent of 'setenforce 0'.
http://cockpit-project.org/guide/latest/packages.html#package-manifest It's not okay to disable this security measure for code included in the Cockpit codebase. This security measure prevents XSS, code-injection and other security attacks. https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP To bring this closer to home, the following aren't allowed: * onclick='...' attributes -> Attach event handlers from javascript instead. * <script> ... </script> inline scripts -> Include a script file rather than inline scripts * <style> ... </style> inline CSS -> Include this in your CSS file rather than inline * style='...' attributes -> Use your CSS file or javascript to set dynamic styles * eval() or Function() -> Never evaluate javascript directly By default Cockpit will refuse to allow them in loaded pages or javascript ... and we shouldn't use 'unsafe-inline' or 'unsafe-eval' in the manifest.json file to bypass this. I've added some testing so that such code in the Cockpit repository will be detected. https://github.com/cockpit-project/cockpit/pull/7391 Happy hacking, Stef
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cockpit-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
