[Rt-commit] rt branch, 4.6/add-nonce-source-support, updated. rt-4.4.2-97-g7e58f0923

Maureen Mirville maureen at bestpractical.com
Mon Jun 4 12:17:47 EDT 2018 

The branch, 4.6/add-nonce-source-support has been updated
       via  7e58f0923d198b356bea3d1b4e064f6982d499e8 (commit)
      from  862c1603cc53274ee8b70518c87c43b5b4cca739 (commit)

Summary of changes:
 etc/RT_Config.pm.in | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

- Log -----------------------------------------------------------------
commit 7e58f0923d198b356bea3d1b4e064f6982d499e8
Author: Maureen E. Mirville <maureen at bestpractical.com>
Date:   Fri Jun 1 13:04:00 2018 -0400

    Add SetCSPHeaders as a config option
    
    Give users the option to enable the HTTP Content Security Policy (CSP) which
    helps prevent cross-site scripting (XSS) attacks by blocking potentially
    malicious code that could be hidden in inline javascript or styling. Additional
    CSP directives can also optionally be added.

diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index fae0d46d4..b1370c66d 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -2299,6 +2299,28 @@ defaults alone.
 
 =over 4
 
+=item C<$SetCSPHeaders>
+
+This option allows you to enable the HTTP Content Security Policy (CSP)
+in your RT. If enabled, potentially malicious code from inline javascript
+will be blocked to help prevent cross-site scripting (XSS) attacks. To
+enable, set this option to "default-src 'self'" and optionally, add any
+additional CSP directives. For example, to allow inline styling, but
+continue to block inline javascript, you can set this option as below
+using the CSP 'style-src' directive:
+
+    Set($SetCSPHeaders, "default-src 'self'; style-src 'self' 'unsafe-inline'");
+
+If you have some customizations in your RT that contain inline javascript,
+you must add the nonce attribute to the script tag to ensure the javascript
+will be added as an exception (see example below).
+
+    <script nonce='<%$m->notes->{"csp-nonce"}%>' type="text/javascript">
+
+=cut
+
+Set($SetCSPHeaders, undef);
+
 =item C<$DisallowExecuteCode>
 
 If set to 1, the C<ExecuteCode> right will be removed from

-----------------------------------------------------------------------

More information about the rt-commit mailing list