<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:24:30 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-2956] Spike: Provide guidelines for use of Content Security Policy headers with FOLIO</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-2956</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;Content Security Policy is a set of headers a server sending Javascript can use to constrain the environment it&apos;s executed in.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;While teams deploying FOLIO at various vendors and institutions are presumably making some use of this mechanism already, it&apos;s able to be quite fine grained and to make full use of it you need to understand the web application you&apos;re deploying in depth: &lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;one might choose to disallow all connections to anything other than Okapi so that, for example, a malicious script can&apos;t exfiltrate user data it has captured. But perhaps some apps connect to other services?&lt;/li&gt;
	&lt;li&gt;we could disallow the execution of scripts from the Okapi host so that a compromised Okapi service couldn&apos;t have malicious scripts executed by the browser. However, I couldn&apos;t say for sure that we never do anything with an Okapi response that constitutes execution by the way browsers interpret CSP and it may be something an app in future has a use case for.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;It&apos;s touched on in this colourful and engaging (though long) article on web application security I occasionally link to: &lt;a href=&quot;https://medium.com/hackernoon/part-2-how-to-stop-me-harvesting-credit-card-numbers-and-passwords-from-your-site-844f739659b9&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://medium.com/hackernoon/part-2-how-to-stop-me-harvesting-credit-card-numbers-and-passwords-from-your-site-844f739659b9&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;I&apos;ve mentioned this a few times, even as far back as 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;STRIPES-236&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/STRIPES-236&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Deployment documentation&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium&quot; /&gt;
            STRIPES-236
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
. But, so far as I know, not much has happened with it. So I&apos;m creating this Draft issue on the the FOLIO project in hopes of catalysing something as this seems to necessarily involve several teams: stripes, documentation, security, devops:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;someone familiar with Stripes needs a spike to become familiar with CSP and develop a core set of recommendations&lt;/li&gt;
	&lt;li&gt;this needs to fit with devops&apos; experience of how FOLIO is deployed in practice&lt;/li&gt;
	&lt;li&gt;we need good documentation both to disseminate this best practice and come up with a way for individual apps in the ecosystem to indicate which policy exceptions they require&lt;/li&gt;
	&lt;li&gt;security should be aware of this&lt;/li&gt;
&lt;/ul&gt;
</description>
                <environment></environment>
        <key id="79832">FOLIO-2956</key>
            <summary>Spike: Provide guidelines for use of Content Security Policy headers with FOLIO</summary>
                <type id="10003" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium">Task</type>
                                            <priority id="10002" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p3.svg">P3</priority>
                        <status id="10003" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/generic.png" description="The issue cannot be worked on because it is blocked by other issues. (Migrated on 4 Feb 2024 13:41 UTC)">Blocked</status>
                    <statusCategory id="2" key="new" colorName="blue-gray"/>
                                    <resolution id="-1">Unresolved</resolution>
                                                        <assignee accountid="-1">Unassigned</assignee>
                                                                <reporter accountid="5d1cd1e35e43080ce8bf881f">Jason Skomorowski</reporter>
                                    <labels>
                            <label>documentation</label>
                            <label>security</label>
                            <label>security-reviewed</label>
                    </labels>
                <created>Tue, 12 Jan 2021 02:06:17 +0000</created>
                <updated>Thu, 19 Jan 2023 16:03:53 +0000</updated>
                                                                            <component>Documentation</component>
                        <due></due>
                            <votes>0</votes>
                                    <watches>7</watches>
                                                                <comments>
                                                            <comment id="190290" author="5cf6c546b87c300f36eb7b9a" created="Thu, 16 Jun 2022 15:34:32 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=62a96ae7192edb006f9f1bf9&quot; class=&quot;user-hover&quot; rel=&quot;62a96ae7192edb006f9f1bf9&quot; data-account-id=&quot;62a96ae7192edb006f9f1bf9&quot; accountid=&quot;62a96ae7192edb006f9f1bf9&quot; rel=&quot;noreferrer&quot;&gt;Khalilah Gambrell&lt;/a&gt; the security team is wondering if stripes-force can take a look at this - and possibly create a spike as mentioned in the description.  Thanks!&lt;/p&gt;</comment>
                                                            <comment id="190297" author="62a96ae7192edb006f9f1bf9" created="Sat, 18 Jun 2022 22:33:17 +0000"  >&lt;p&gt;Hey &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5cf6c546b87c300f36eb7b9a&quot; class=&quot;user-hover&quot; rel=&quot;5cf6c546b87c300f36eb7b9a&quot; data-account-id=&quot;5cf6c546b87c300f36eb7b9a&quot; accountid=&quot;5cf6c546b87c300f36eb7b9a&quot; rel=&quot;noreferrer&quot;&gt;Craig McNally&lt;/a&gt;, I will have the stripes-force team review but I am unsure what the goal is - Is it to define guidelines for how to deploy CSP and any exceptions? &lt;/p&gt;

&lt;p&gt;If so, do the security team want to review and approve guidelines before presented to developers?&lt;/p&gt;</comment>
                                                            <comment id="190306" author="5cf6c546b87c300f36eb7b9a" created="Thu, 17 Nov 2022 16:21:48 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=62a96ae7192edb006f9f1bf9&quot; class=&quot;user-hover&quot; rel=&quot;62a96ae7192edb006f9f1bf9&quot; data-account-id=&quot;62a96ae7192edb006f9f1bf9&quot; accountid=&quot;62a96ae7192edb006f9f1bf9&quot; rel=&quot;noreferrer&quot;&gt;Khalilah Gambrell&lt;/a&gt; this came up again at the security team meeting... There are several parties that should be involved here, including the stripes-force/architecture, security team, sys-ops sig, etc.&#160;&#160;&lt;/p&gt;

&lt;p&gt;It probably makes sense to start with pulling together a strawman set of guidelines/suggestions.&#160; The interested parties could then review and provide some initial feedback.&#160; If we need to iterate on this we can create follow-on stories for that, which may be assigned to stripes-force, or handled by someone else.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                            <outwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="79857">FOLIO-3691</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="61134">STRIPES-236</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="73296">MODLOGSAML-63</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10183"><![CDATA[Stripes Force]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|hzx1qi:i0r</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10044" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>Story Points</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>3.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Thu, 16 Jun 2022 15:34:32 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                </customfields>
    </item>
</channel>
</rss>