Open OmarHawk opened 1 year ago
I believe unsafe-inline
is required by Angular. I could be wrong.
Can you please test your suggested changes with an Angular, React, and a Vue app and see if they work?
Angular did work apart from some console errors regarding the mentioned points. I'll test React/Vue in the next days.
Nice. When we added the csp angular didn't work at all without unsafe inline.
This issue is stale because it has been open for too long without any activity. Due to the moving nature of jhipster generated application, bugs can become invalid. If this issue still applies please comment otherwise it will be closed in 7 days
Not stale
This issue is stale because it has been open for too long without any activity. Due to the moving nature of jhipster generated application, bugs can become invalid. If this issue still applies please comment otherwise it will be closed in 7 days
still not stale. Will sooner or later pick it up ;-)
Overview of the feature request
At the moment, the default CSP (at least we have one) looks like this: https://github.com/jhipster/generator-jhipster/blob/7dd8197465cf71abda38f260f376ac8bff9670c3/generators/server/templates/src/main/resources/config/application.yml.ejs#L373-L377
We do have
unsafe-inline
andunsafe-eval
inscript-src
andstyle-src
. This is not optimal from security perspective, because injected javascript code would theoretically be executed. By default, we should produce the application in a way, that it works without these unsafe rules and then also get rid of these defaults.In some place, we do have (unnecessary) inline javascript code like
href="javascript:void(0)"
which can be quite easily be replaced, in others, we do have script tags in the initial html, which probably requires a nonce - or should be extracted into an actual script file. Then, we also have some dependencies, like springdoc / swagger ui, which do have open issues about this for quite some time.Motivation for or Use Case
Make the default jhipster configuration be more secure.
Related issues or PR
9549, https://github.com/swagger-api/swagger-ui/issues/7540, https://github.com/springdoc/springdoc-openapi/issues/1492