search

certtools / intelmq-manager

IntelMQ Manager is a graphical interface to manage configurations for IntelMQ framework.
https://docs.intelmq.org/latest/user/manager/
102 stars 56 forks source link

ALLOWED_PATH= violates CSP #183

Closed mrvanes closed 3 years ago

mrvanes commented 5 years ago

Chrome forbids the <script>ALLOWED_PATH="/opt/intelmq/var/lib/bots/";</script> line in template.php @101 because of the recommended CSP 'self' setting. This can be resolved with 'unsafe-inline' or adding the hash to the apache conf.

ghost commented 5 years ago

Thanks for the bug report.

script-tags in html are not allowed, so either

  1. change the docs and example conf file https://github.com/certtools/intelmq-manager/blob/34c2c733354573c3e55c3f295a93a2c21fdfc804/debian/intelmq.conf#L10 https://github.com/certtools/intelmq-manager/blob/7cb4c4efd996374a880b8592fd6a77de454f4e8d/docs/INSTALL.md#content-security-policy-headers
  2. or deliver the variable name by different means (separate JS file delivered by PHP, API call to a PHP file)

But

  1. is easier for us
  2. is compatible to older configurations

So maybe 2 is the way to go

cc also @e3rd

monoidic commented 3 years ago

Fixed by #264