You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2022/01/18 19:40:27 UTC

[GitHub] [airflow] ttaubermarshall-stripe opened a new issue #20934: Update web ui to allow for using strict content security policies

ttaubermarshall-stripe opened a new issue #20934:
URL: https://github.com/apache/airflow/issues/20934


   ### Description
   
   CSP (Content Security Policy) is a layer of security that can be applied to web applications to mitigate certain types of attacks, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
   
   Currently, it is difficult to apply a strict CSP to the Airflow web ui due to the use of certain html constructs that are considered unsafe, such as inline scripts and styles and style attributes. Rewriting the Airflow html templates to remove these constructs would allow for stricter policies to be applied.
   
   ### Use case/motivation
   
   Applying strict CSPs creates confidence that the web application is not vulnerable to certain types of attacks such as XSS, which is useful for security conscious users and for passing security audits.
   
   ### Related issues
   
   _No response_
   
   ### Are you willing to submit a PR?
   
   - [ ] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] boring-cyborg[bot] commented on issue #20934: Update web ui to allow for using strict content security policies

Posted by GitBox <gi...@apache.org>.

boring-cyborg[bot] commented on issue #20934:
URL: https://github.com/apache/airflow/issues/20934#issuecomment-1015771934


   Thanks for opening your first issue here! Be sure to follow the issue template!
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk closed issue #20934: Update web ui to allow for using strict content security policies

Posted by GitBox <gi...@apache.org>.

potiuk closed issue #20934:
URL: https://github.com/apache/airflow/issues/20934


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk commented on issue #20934: Update web ui to allow for using strict content security policies

Posted by GitBox <gi...@apache.org>.

potiuk commented on issue #20934:
URL: https://github.com/apache/airflow/issues/20934#issuecomment-1015796632


   The web UI of airlfow is being overwritten as we speak with some of the goals of removal the inline scripts etc. https://cwiki.apache.org/confluence/display/AIRFLOW/AIP-38+Modern+Web+Application


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] ttaubermarshall-stripe commented on issue #20934: Update web ui to allow for using strict content security policies

Posted by GitBox <gi...@apache.org>.

ttaubermarshall-stripe commented on issue #20934:
URL: https://github.com/apache/airflow/issues/20934#issuecomment-1015819172


   Thanks for the quick response! Sorry I wasn't aware of the ongoing work


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk edited a comment on issue #20934: Update web ui to allow for using strict content security policies

Posted by GitBox <gi...@apache.org>.

potiuk edited a comment on issue #20934:
URL: https://github.com/apache/airflow/issues/20934#issuecomment-1015796632


   The web UI of airlfow is being rewritten as we speak with some of the goals of removal the inline scripts etc. https://cwiki.apache.org/confluence/display/AIRFLOW/AIP-38+Modern+Web+Application


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org