Project

General

Profile

Actions
Copy link

tickets #161132

open

Content-Security-Policy (CSP)

Added by lukas.vyparina@suse.com about 1 month ago. Updated 19 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
2024-05-29
Due date:
% Done:

0%

Estimated time:

Description

Dear team,
Attached document has urls that have issues with Web application headers
specifically with Content security policy and are marked by multiple third
party security assessment vendors such as bitsight to have Bad mark.The
reports from these vendor’s are being used by our customer to assess /
judge our security posture, which sometimes is becoming road blocker in new
/ renewal sales deals. Hence it recommended remediating this issue.

Description:
When used, their presence indicates a company has a good cyber security
posture. A properly configured Content-Security-Policy (CSP) can help
prevent cross-site scripting (XSS) attacks by restricting the origins of
JavaScript, CSS, and other potentially dangerous resources.

As the remediation differs from site to site here are some points:

-Implement directives that set valid source restrictions from where the
client can load frames and scripts as well as limit where the client can
submit form data.
-Restrict plugins and specify a valid resource for reporting policy
violations.
-Not contain “unsafe” keywords or include wildcards that are ineffective
for restricting sources.

--

Lukas Vyparina
Security Engineer

E: lukas.vyparina@gmail.com

M: +421 907 941 136

SUSE Linux s.r.o.

Křižikova 148/34
186 00 Praha 8

Czech Republic

Files

opensuse.txt (1.03 KB) opensuse.txt lukas.vyparina@suse.com, 2024-05-29 09:46
Hide closed

Checklist

  • CSP Wiki
  • CSP TSP
  • CSP Static
  • CSP Planet
  • CSP Status
  • CSP Downloadcontent
  • CSP Lizards
  • CSP OSC-Collab
  • CSP Hackweek
  • CSP Code (Pagure)
  • CSP OSRT
  • CSP Mirrors
  • CSP Fontinfo
  • CSP 101
  • CSP SVN
  • CSP Codecs
  • CSP Mauritius
Actions
Copy link
 #1

Updated by crameleon about 1 month ago

  • Checklist item CSP Wiki added
  • Checklist item CSP TSP added
  • Checklist item CSP Static added
  • Checklist item CSP Planet added
  • Checklist item CSP Status added
  • Checklist item CSP Downloadcontent added
  • Checklist item CSP Lizards added
  • Checklist item CSP OSC-Collab added
  • Checklist item CSP Hackweek added
  • Checklist item CSP Code (Pagure) added
  • Checklist item CSP OSRT added
  • Checklist item CSP Mirrors added
  • Checklist item CSP Fontinfo added
  • Checklist item CSP 101 added
  • Checklist item CSP SVN added
  • Checklist item CSP Codecs added
  • Checklist item CSP Mauritius added

Hi,

this seems like a very big project, involving many different service owners. I'm not fully sure how to coordinate this, especially since there are no concrete solutions for each of them provided, but added it as a discussion point for our next meeting (https://progress.opensuse.org/issues/159861).

For now, I converted your txt file to a list of service specific tasks in this ticket.

Note I ignored labs.suse.cz - this domain and the service behind is it not managed by us.

Best,
Georg

Actions
Copy link
 #2

Updated by crameleon 23 days ago

  • Private changed from Yes to No
Actions
Copy link
 #3

Updated by crameleon 23 days ago

Hi,

we discussed it in our meeting and agree to implement it, but it will take time and coordination.

Best,
Georg

Actions
Copy link
 #4

Updated by lukas.vyparina@suse.com 19 days ago

Hi Georg,

That's totally fine, I understand it's a bigger topic.

Thanks for the update appreciate it.

Br,
Lukas

On Thu, Jun 6, 2024 at 8:27 PM crameleon redmine@opensuse.org wrote:

[openSUSE Tracker]
Issue #161132 has been updated by crameleon.

Hi,

we discussed it in our meeting and agree to implement it, but it will take
time and coordination.

Best,
Georg

tickets #161132: Content-Security-Policy (CSP)
https://progress.opensuse.org/issues/161132#change-805796

* Start date: 2024-05-29

Dear team,
Attached document has urls that have issues with Web application headers
specifically with Content security policy and are marked by multiple third
party security assessment vendors such as bitsight to have Bad mark.The
reports from these vendor’s are being used by our customer to assess /
judge our security posture, which sometimes is becoming road blocker in new
/ renewal sales deals. Hence it recommended remediating this issue.

Description:
When used, their presence indicates a company has a good cyber security
posture. A properly configured Content-Security-Policy (CSP) can help
prevent cross-site scripting (XSS) attacks by restricting the origins of
JavaScript, CSS, and other potentially dangerous resources.

As the remediation differs from site to site here are some points:

-Implement directives that set valid source restrictions from where the
client can load frames and scripts as well as limit where the client can
submit form data.
-Restrict plugins and specify a valid resource for reporting policy
violations.
-Not contain “unsafe” keywords or include wildcards that are ineffective
for restricting sources.

--

Lukas Vyparina
Security Engineer

E: lukas.vyparina@gmail.com

M: +421 907 941 136

SUSE Linux s.r.o.

Křižikova 148/34
186 00 Praha 8

Czech Republic

---Files--------------------------------
opensuse.txt (1.03 KB)

--
You have received this notification because you either subscribed to or
are involved in this discussion.
To change your notification preferences, please visit
https://progress.opensuse.org/my/account.

--

Lukas Vyparina
Security Engineer

E: lukas.vyparina@gmail.com

M: +421 907 941 136

SUSE Linux s.r.o.

Křižikova 148/34
186 00 Praha 8

Czech Republic

Actions
Copy link

Also available in: Atom PDF