Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

V1.12.2: Verify that user-uploaded files - if required to be displayed or downloaded from the application - are served by either octet stream downloads, or from an unrelated domain, such as a cloud file storage bucket. Implement a suitable Content Security Policy (CSP) to reduce the risk from XSS vectors or other attacks from the uploaded file. #484

Closed
Tracked by #481 ...
Andreass2 opened this issue Jun 25, 2024 · 3 comments
Assignees
Labels
kind/user-story Used for issues that describes functionality for our users.

Comments

@Andreass2
Copy link
Collaborator

Andreass2 commented Jun 25, 2024

We do se serve file downloads as octet stream, so no changes is needed regarding this.

We are missing a Content Security Policy. Research and add a suitable CSP header to all requests.

This also affects "V14.4.3: " in #481 so mark that task as completed when done

@Ceredron
Copy link
Collaborator

Jeg er litt usikker på om vi kan implementere en god CSP gitt måten vi er brukt (som backend), eller om det er riktigere at det er Felles Arbeidsflate's CSP policy som gjelder. Jeg tror det er deres domene som vil kalle vårt API i så fall.

@Andreass2
Copy link
Collaborator Author

Leste litt om det og ser urelevant ut da vi kun tilbyr ett API. Om det er tilfellet så tenker jeg issue kan closes. Da har vi vurdert caset og konkludert med at det ikke blir relevant for vår del.

@Ceredron Ceredron added the kind/user-story Used for issues that describes functionality for our users. label Sep 2, 2024
@Andreass2 Andreass2 self-assigned this Sep 2, 2024
@Andreass2
Copy link
Collaborator Author

Konkluderte at dette er en setting som håndteres av frontend/webserver til frontendapplikasjonen

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/user-story Used for issues that describes functionality for our users.
Projects
Status: ✅ Done
Development

No branches or pull requests

2 participants