laurenb33
commented
5 months ago Kait, Mike, and I had a preliminary discussion about this ticket on 5/21 after standup:
1a. I will look for the impact of an outage to DCS
- LIT sharepoint/Steelsen
1b. Ask for 6 month extension on issue to see where the community is at then and see if it is addressed.
1c: Mostly for passing variables easily, custom form behavior, and Universal Viewer configuration.
2a. For the CSP SPA exception, I created a ticket to further investigate the scope of enabling a CSP for DCS: https://github.com/yalelibrary/YUL-DC/issues/2838
DraxIndustries79
We received feedback from the Information Security Office about the SPA exception requests. They would like me to get back to them about the questions below.
The following questions are about jquery:
1a. What is the impact of an outage to the system? 1b. When will jQuery versions 1 and 2 no longer be supported for backward compatibility? If the community has not provided this information, what would the timeline be to fork the gem and make the modifications needed to remove versions 1 and 2? 1a. What is the inline Javascript used for?
This is about the CSP exception:
Regarding the CSP issue, it is possible to implement a CSP header and specifically allow the resources that need to script inline. This will allow the system to block requests from illegitimate sources.
2a. When could this type of configuration be enabled?
Once a timeline to get this in place is determined, we can continue with that exception. While a WAF can be helpful in protecting against certain attacks (e.g. SQL injection), its not a good replacement for a CSP.