You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@drill.apache.org by "Igor Guzenko (Jira)" <ji...@apache.org> on 2020/03/16 09:07:00 UTC

[jira] [Created] (DRILL-7642) Get rid of Web UI inline code to improve security

Igor Guzenko created DRILL-7642:
-----------------------------------

             Summary: Get rid of  Web UI inline code to improve security
                 Key: DRILL-7642
                 URL: https://issues.apache.org/jira/browse/DRILL-7642
             Project: Apache Drill
          Issue Type: Improvement
          Components: Security, Web Server
            Reporter: Igor Guzenko


Application of *Content-Security-Policy * response header with value *default-src https:* breaks down numerous components in Drill Web UI. The main reason for the failures is the inline code used widely in Web UI. According to web security best practices, such code is [considered harmful|https://developers.google.com/web/fundamentals/security/csp#inline_code_is_considered_harmful] and should be avoided. In order to make UI work, we can apply the only header: 

{code}
      "Content-Security-Policy": "default-src https:; script-src 'unsafe-inline' https:; style-src 'unsafe-inline' https:; font-src data: https:; img-src data: https:"    
{code}

Which isn't as strict as necessary. Therefore it is necessary to rewrite all places where inline code is used and ensure that CSP header can provide really strict rules for securing web pages.




--
This message was sent by Atlassian Jira
(v8.3.4#803005)