V1.12.2: Verify that user-uploaded files - if required to be displayed or downloaded from the application - are served by either octet stream downloads, or from an unrelated domain, such as a cloud file storage bucket. Implement a suitable Content Security Policy (CSP) to reduce the risk from XSS vectors or other attacks from the uploaded file.

Altinn / altinn-broker

Formidlingstjenesten

5 stars 0 forks source link

V1.12.2: Verify that user-uploaded files - if required to be displayed or downloaded from the application - are served by either octet stream downloads, or from an unrelated domain, such as a cloud file storage bucket. Implement a suitable Content Security Policy (CSP) to reduce the risk from XSS vectors or other attacks from the uploaded file. #484

Closed Andreass2 closed 4 weeks ago

Andreass2 commented 3 months ago

We do se serve file downloads as octet stream, so no changes is needed regarding this.

We are missing a Content Security Policy. Research and add a suitable CSP header to all requests.

This also affects "V14.4.3: " in https://github.com/Altinn/altinn-broker/issues/481 so mark that task as completed when done

Ceredron commented 1 month ago

Jeg er litt usikker på om vi kan implementere en god CSP gitt måten vi er brukt (som backend), eller om det er riktigere at det er Felles Arbeidsflate's CSP policy som gjelder. Jeg tror det er deres domene som vil kalle vårt API i så fall.

Andreass2 commented 1 month ago

Leste litt om det og ser urelevant ut da vi kun tilbyr ett API. Om det er tilfellet så tenker jeg issue kan closes. Da har vi vurdert caset og konkludert med at det ikke blir relevant for vår del.

Andreass2 commented 4 weeks ago

Konkluderte at dette er en setting som håndteres av frontend/webserver til frontendapplikasjonen