[FOLIO-2956] Spike: Provide guidelines for use of Content Security Policy headers with FOLIO Created: 12/Jan/21  Updated: 19/Jan/23

Status: Blocked
Project: FOLIO
Components: Documentation
Affects versions: None
Fix versions: None

Type: Task Priority: P3
Reporter: Jason Skomorowski Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: documentation, security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to FOLIO-3691 Spike: create a baseline CSP Open
relates to STRIPES-236 Deployment documentation Closed
relates to MODLOGSAML-63 Implement CSRF Prevention Closed
Sprint:
Story Points: 3
Development Team: Stripes Force

 Description   

Content Security Policy is a set of headers a server sending Javascript can use to constrain the environment it's executed in.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

While teams deploying FOLIO at various vendors and institutions are presumably making some use of this mechanism already, it's able to be quite fine grained and to make full use of it you need to understand the web application you're deploying in depth:

  • one might choose to disallow all connections to anything other than Okapi so that, for example, a malicious script can't exfiltrate user data it has captured. But perhaps some apps connect to other services?
  • we could disallow the execution of scripts from the Okapi host so that a compromised Okapi service couldn't have malicious scripts executed by the browser. However, I couldn't say for sure that we never do anything with an Okapi response that constitutes execution by the way browsers interpret CSP and it may be something an app in future has a use case for.

It's touched on in this colourful and engaging (though long) article on web application security I occasionally link to: https://medium.com/hackernoon/part-2-how-to-stop-me-harvesting-credit-card-numbers-and-passwords-from-your-site-844f739659b9

I've mentioned this a few times, even as far back as STRIPES-236 Closed . But, so far as I know, not much has happened with it. So I'm creating this Draft issue on the the FOLIO project in hopes of catalysing something as this seems to necessarily involve several teams: stripes, documentation, security, devops:

  • someone familiar with Stripes needs a spike to become familiar with CSP and develop a core set of recommendations
  • this needs to fit with devops' experience of how FOLIO is deployed in practice
  • we need good documentation both to disseminate this best practice and come up with a way for individual apps in the ecosystem to indicate which policy exceptions they require
  • security should be aware of this


 Comments   
Comment by Craig McNally [ 16/Jun/22 ]

Khalilah Gambrell the security team is wondering if stripes-force can take a look at this - and possibly create a spike as mentioned in the description. Thanks!

Comment by Khalilah Gambrell [ 18/Jun/22 ]

Hey Craig McNally, I will have the stripes-force team review but I am unsure what the goal is - Is it to define guidelines for how to deploy CSP and any exceptions?

If so, do the security team want to review and approve guidelines before presented to developers?

Comment by Craig McNally [ 17/Nov/22 ]

Khalilah Gambrell this came up again at the security team meeting... There are several parties that should be involved here, including the stripes-force/architecture, security team, sys-ops sig, etc.  

It probably makes sense to start with pulling together a strawman set of guidelines/suggestions.  The interested parties could then review and provide some initial feedback.  If we need to iterate on this we can create follow-on stories for that, which may be assigned to stripes-force, or handled by someone else.

Generated at Thu Feb 08 23:24:30 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.