feat: Allow CSP per org_domain #4642
Conversation
|
@nono what do you think about that? |
|
Well, I'm not a fan of this change. It's not catastrophic but it weakens the in-depth defense. Maybe we can change only some CSP rules. For example, I don't see any issues with allowing the new domains for img-src, but default-src and script-src are more powerful. |
|
How can we address scenario like this one:
Scenario 1:
Scenario 2:
Scenario 3:
Do you have something else in mind? |
|
Scenario 4: Only open needed CSP for |
|
Do we really need to open the CSP for this scenario? We should try and look what CSP rules is blocking, but I wouldn't be surprised if it works without opening new CSP. For OIDC, we need URL navigation (GET), and server to server communications. For server to server, the CSP doesn't apply. For URL navigation, I'm not sure. It may work with the current CSP, or we may need to update one rule (form-action? connect-src?). |
|
Finally we only need a CSP We have a check somewhere in the process to check that "matrix.orgDomain" is targeting our infra. But we don't have yet this information from the stack side. Maybe if it's needed we can try to find a way to set this boolean somewhere on cozy-stack. @nono what do you think? |
|
For me, it is OK. |
for me it looks safe if it's not an asterisk, we won't have any forgotten and arbitrary domains. |
This change automatically adds matrix.org_domain to frame-src Content Security Policy directive when an instance has an org_domain configured. This allows us to load synapse(chat) from the orgdomain
Crash--
force-pushed
the
feat/CspByOrgDomain
branch
from
9bff11d to
db439d2
Compare
This change automatically adds *.org_domain to all Content Security Policy directives when an instance has an org_domain configured. This allows loading resources (such as chat applications) hosted on the organization's domain and its subdomains.