close

Filter

loading table of contents...

Studio Developer Manual / Version 2010

Table Of Contents

8.2 Content Security Policy

Cross-site scripting (XSS) vulnerabilities are a severe threat for all high profile web applications like CoreMedia Studio. While conscientious output escaping always has to be the first choice in order to avoid cross-site scripting attacks, most modern web browsers offer a new standard called Content Security Policy (CSP) as a second line of defense (see http://www.w3.org/TR/CSP/).

Default Policy

The standard Blueprint CoreMedia Studio enables Content Security Policy by default. It configures at least the following default CSP directives in the browser.

default-src 'none';
style-src 'self' 'unsafe-inline';
script-src 'self' 'unsafe-eval';
img-src 'self';
connect-src 'self';
object-src 'self';
font-src 'self';
media-src 'self';
manifest-src 'self';
frame-src <YOUR_PREVIEW_ORIGIN>

The configuration represents the minimum set of directives to comply with the Studio's and its third-party library requirements. Both, the unsafe-inline value of the style-src directive and the unsafe-eval value of the script-src directive are required by Ext JS.

Customize Policy

Each of the CSP directives that are included in the default configuration plus the report-uri directive can be easily customized.

Caution

Caution

Note, that weakening the policy settings can have severe effects on the application's security. Especially re-enabling inline script execution is considered harmful as it thwarts all efforts to prevent XSS.

Customization is done via a set of studio.security.csp.* properties in the WEB-INF/application.properties property file of the Studio Server web application. Each property is responsible for one Content Security Policy directive.

Note

Note

Please note that for legacy reasons the configuration needs to be done in the Studio Server. The Studio Client will reuse the CSP directives by sending a request to the Studio Server and dynamically creating a meta HTML element which adds the directives before the actual Studio Application is bootstrapped.

  • studio.security.csp.scriptSrc: Takes a list of values for the script-src policy directive. Default values are 'self','unsafe-eval'.

  • studio.security.csp.styleSrc: Takes a list of values for the style-src policy directive. Default values are 'self','unsafe-inline'.

  • studio.security.csp.frameSrc: Takes a list of values for the frame-src policy directive. The hierarchy of default values for this directive is as follows.

    • studio.previewUrlWhitelist values if specified.

    • Schema and authority of studio.previewUrlPrefix if specified.

    • 'self'

  • studio.security.csp.connectSrc: Takes a list of values for the connect-src policy directive. Default value is 'self'.

  • studio.security.csp.fontSrc: Takes a list of values for the font-src policy directive. Default value is 'self'.

  • studio.security.csp.imgSrc: Takes a list of values for the img-src policy directive. Default value is 'self'.

  • studio.security.csp.mediaSrc: Takes a list of values for the media-src policy directive. Default value is 'self'.

  • studio.security.csp.objectSrc: Takes a list of values for the object-src policy directive. Default value is 'self'.

  • studio.security.csp.reportUri: Takes a list of values for the report-uri policy directive. If no custom list is provided, the directive is not included in the CSP directives.

Here is an example how an adapted property would look like.

studio.security.csp.objectSrc='self',www.exampleDomain.com
Using frame-ancestors directive

The frame-ancestors directive is used to defend clickjacking attacks. Due to the way the Studio Client defines its CSP directives, it cannot be configured via WEB-INF/application.properties. This is because the CSP standard does not support setting this directive in meta HTML elements.

In order to configure the directive you need to adjust the configuration of the web server so it provides a corresponding CSP HTTP header. Our default docker and chef deployments will already set the frame-ancestors to 'self'.

Please note that the frame-ancestors directive is part of the Content Security Policy Level 2 standard which is not yet supported by all the browsers that support Content Security Policy Level 1. If required, similar functionality can be achieved for 'legacy' browsers by setting an appropriate X-Frame-Options header in the web server delivering the Studio Client.

Write CSP Compliant Code

According to the default policy, inline JavaScript will not be executed. This restriction bans both inline script blocks and inline event handlers (for example onclick="..."). The first restriction wipes out a huge class of cross-site scripting attacks by making it impossible to accidentally execute scripts provided by a malicious third-party. It does, however, require a clean separation between content and behavior (which is good practice anyway). The required code changes for inline JavaScript code can be summarized as follows:

  • Inline script blocks needs to move into external JavaScript files.

  • Inline event handler definitions must be rewritten in terms of addEventListener and extracted into component code.

CSP violations can be easily discovered by monitoring the browser console. All violations are logged as errors including further details about the violation type and culprit.

Customize CSP Mode

CoreMedia Studio can run in one of four supported CSP modes.

  • ENFORCE: Full CSP protection is enabled. All directives are enforced and reported.

  • ENFORCE_ALLOW_DISABLE: Enable full CSP protection unless the disableCsp query parameter is set to 'true'. This mode is not recommended for a production environment.

  • REPORT: CSP protection is enabled in report only mode. All violations are reported using the report-uri directives configured in studio.security.csp.reportUri but the directives are not enforced. This mode is not recommended for a production environment.

  • DISABLE: CSP protection is disabled. This setting is not recommended.

The configuration is done via the studio.security.csp.mode key of the WEB-INF/application.properties property file of the Studio Server web application.

Search Results

Table Of Contents