Uploaded image for project: 'Apache Drill'
  1. Apache Drill
  2. DRILL-7642

Get rid of Web UI inline code to improve security

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.17.0
    • Fix Version/s: Future
    • Component/s: Security, Web Server
    • Labels:
      None

      Description

      Application of Content-Security-Policy response header with value 'default-src https:' breaks down numerous components in Drill Web UI. The main reason for the failures is the inline code used widely in Web UI. According to web security best practices, such code is considered harmful and should be avoided. In order to make UI work, we can apply the only header:

            "Content-Security-Policy": "default-src https:; script-src 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data: https:; img-src data: https:"    
      

      Which isn't as strict as necessary. Therefore it is necessary to rewrite all places where inline code is used and ensure that CSP header can provide really strict rules for securing web pages.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              ihuzenko Igor Guzenko
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: