Wednesday, August 22, 2018

Improving security with the Content-Security-Policy header

Securing web applications is always difficult and a moving target. Fairly recently, web browsers have started supporting the Content-Security-Policy HTTP header. This header is designed to help fight Cross Site Scripting (XSS) and data injection attacks.

Content-Security-Policy is very configurable. Some organizations set that header to strict values which disallow inline JavaScript and CSS within HTML pages. What this means is that anything like this is rejected by the web browser:

<script type="text/javascript">
    function foo() { alert("Hello!"); }

Up until Orbeon Forms 2017.2, Orbeon Forms includes some inline scripts and CSS in the HTML served to the browser. The purpose of this is, in particular, to provide some data and functions specific to the current form. So setting a Content-Security-Policy header which disables inline scripts and CSS would break Orbeon Forms.

With Orbeon Forms 2018.1 and newer, on the other hand, Orbeon Forms no longer produces inline scripts and CSS this by default. This can make Orbeon Forms safer by default if you set a stricter Content-Security-Policy.

In addition, and optionally, Orbeon Forms can generate the Content-Security-Policy header for you via a very simple configuration.

More details are available in the documentation.

We hope you like this new feature of the upcoming Orbeon Forms 2018.1.

No comments:

Post a Comment