Ignore:
Timestamp:
Jun 26, 2014, 8:08:13 AM (7 years ago)
Author:
Nicklas Nordborg
Message:

References #1712: Implement a 'Content Security Policy'

Rearranged documentation about content security policy so that it appears in the table of contents and is easier to find.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/3.3-stable/doc/src/docbook/appendix/web.xml.xml

    r6417 r6494  
    199199      </listitem>
    200200    </varlistentry>
    201    
    202     <varlistentry id="appendix.web.xml.csp-filter" xreflabel="the Content security policy section">
    203       <term><sgmltag class="starttag">filter</sgmltag>: csp-filter</term>
    204       <listitem>
    205         <para>
    206         A filter that sets the <emphasis>Content security policy</emphasis>
    207         header in all responses from the BASE web server. This header tell
    208         browsers to not execute code (including JavaScript) that is considered
    209         unsafe. Some extensions and/or plug-ins
    210         may not adhere to the restrictions implied by the policy and may thus not work unless
    211         it is relaxed a bit. Typically, adding <code>script-src 'self' 'unsafe-inline';</code>
     201    </variablelist>
     202   
     203    <sect1 id="appendix.web.xml.csp-filter">
     204      <title>Content security policy</title>
     205      <para>
     206        Support for <emphasis>Content Security Policy</emphasis> was added in BASE 3.3.
     207        This is a technology that is used to prevent web browsers from accessing and
     208        executing content that is considered unsafe. This includes JavaScript, style sheets,
     209        images, browser plug-ins, etc. The policy is implemented by white-listing what is
     210        allowed, everything else is blocked.
     211      </para>
     212     
     213      <para>
     214        In BASE, we have choosen a relatively restrictive policy which only allow resources
     215        to be lodaded from the BASE server. Browser plug-ins are always blocked. This should
     216        work well for a standard BASE installation. But some (older) extensions to BASE
     217        doesn't adhere to the restrictions implied by the policy and may not work unless it
     218        is relaxed a bit. Typically, the problem is that the extensions uses inline javascript
     219        code to handle mouse clicks and other events, which is forbidden by the default policy
     220        settings. In this case, the policy must be relaxed a bit. Typically,
     221        adding <code>script-src 'self' 'unsafe-inline';</code>
    212222        to the policy setting should take care of most issues. If this is not
    213223        enough to make the extension work the following link is a good starting point
     
    215225        <ulink url="http://www.html5rocks.com/en/tutorials/security/content-security-policy/">
    216226        http://www.html5rocks.com/en/tutorials/security/content-security-policy/</ulink>
    217         </para>
    218        
    219         <para>
    220         The following parameters can be specified for the filter:
    221         </para>
    222        
    223         <itemizedlist>
    224           <listitem>
    225             <para><varname>policy</varname>: The policy string that is sent in the response</para>
    226           </listitem>
    227           <listitem>
    228             <para><varname>report-only</varname>: If set, policy violations are only reported and not blocked</para>
    229           </listitem>
    230           <listitem>
    231             <para><varname>unsafe-resources-policy</varname>:
    232               An alternate policy string that is used for extensions that set
    233               <code><sgmltag class="starttag">about safe-resources="0"</sgmltag></code>
    234               in their definition.
    235             </para>
    236           </listitem>
    237         </itemizedlist>
    238        
    239       </listitem>
    240     </varlistentry>
    241   </variablelist>
     227      </para>
     228   
     229      <variablelist>
     230      <varlistentry>
     231        <term><sgmltag class="starttag">filter</sgmltag>: csp-filter</term>
     232        <listitem>
     233          <para>
     234          A filter that sets the <emphasis>Content security policy</emphasis>
     235          header in all responses from the BASE web server. This filter can be removed
     236          to disable content security policy, but use this only as a last resort if
     237          nothing else works.
     238          </para>
     239         
     240          <para>
     241          The following parameters can be specified for the filter:
     242          </para>
     243         
     244          <itemizedlist>
     245            <listitem>
     246              <para><varname>policy</varname>: The policy string that is sent in the response. The default value
     247              is: <code>default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; object-src 'none';</code>
     248              </para>
     249            </listitem>
     250            <listitem>
     251              <para><varname>report-only</varname>: If set, policy violations are only reported and not blocked</para>
     252            </listitem>
     253            <listitem>
     254              <para><varname>unsafe-resources-policy</varname>:
     255                An alternate policy string that is used for extensions that set
     256                <code><sgmltag class="starttag">about safe-resources="0"</sgmltag></code>
     257                in their definition. The default value is:
     258                <code>default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; object-src 'none'; script-src 'self' 'unsafe-inline';</code>
     259              </para>
     260            </listitem>
     261          </itemizedlist>
     262         
     263        </listitem>
     264      </varlistentry>
     265    </variablelist>
     266  </sect1>
    242267
    243268</appendix>
Note: See TracChangeset for help on using the changeset viewer.