HTML5: Misconfigured Content Security Policy
What is the GitLab engineering productivity problem to solve?
HTML5: Misconfigured Content Security Policy for GITLAB
Detected in DAST report . Access link http://ip:8080/undefined through proxy and notice the misconfigured content security policy header in response headers
What are the potential solutions?
Remove wildcard values for source-list to limit scope of cross origin access from site. Ensure canonical Content Security Policy name is used to specify policy. X-Content-Security-Policy and XWebkit- CSP names are deprecated. Any references to these headers are only useful in case support for earlier browsers is desired. Presence of these headers in addition to Content-Security-Policy is said to cause unexpected behaviors on certain versions of browsers. Content-Security-Policy version 2 standard support:
• Edge: Edge 15 - 18 supported with a nonce bug. Version 75 onwards fully supported. • Chrome: Chrome 36-38 are missing the plugin-types, child-src, frame-ancestors, base-uri, and form-action directives. Chrome 39 is missing the plugin-types, child-src, base-uri, and form-action directives. Chrome 40 onwards fully supported. • Firefox; Firefox 31-34 is missing the plugin-types, child-src, frame-ancestors, base-uri, and formaction directives. Firefox 35 is missing the plugin-types, child-src, frame-ancestors, and formaction directives. Firefox 36-44 is missing the plugin-types and child-src directives. Firefox 45+ is missing the plugin-types directive. Furthermore, the report-uri directive can be configured to receive reports of attempts to violate the policy. These reports can be used as an early indication of security issues in the site as well as to optimize the policy.