Content Security Policy
Content Security Policy is a way of telling the browser to be more strict on where it can load javascript or CSS from and where it can connect to. It mitigates whole swaths of possible security issues. Given perfect code, Content Security Policy wouldn't be necessary. But we all know about perfect code.
Cockpit runs as a real user login session. That means once you're logged in the javascript running in the web browser has access to your system just like you do. This is similar to running an application on a Linux desktop, or tools in a logged in terminal shell.
What we need to ensure is that only the code Cockpit explicitly loaded is executed, and no other code (eg: included by way of an XSS attack) gets run. Content Security Policy helps us enforce this.
By default Cockpit components are loaded into the browser with a rather strict security policy. It allows no inline javascript, and no inline CSS. Eval is disabled. The strict policy prevents the browser from loading resources resources or connecting to other machines.
You can place a line in your manifest.json that changes the default policy. It's recommended not to.
Some javascript libraries need to be aware of CSP, and adjust their behavior to not fall afoul of the policy. Here's a list of the libraries we've used with CSP and where we've run into problems.
-
angular: Works
- Has a CSP mode, which makes it somewhat slower because eval() is disabled.
-
bootstrap-select: Doesn't work.
- Removing its use.
- jQuery: Works
-
less: Fails when used in the browser
- https://github.com/less/less.js/pull/2855
- Requires:
'nonce-...'when used in a brwoser
- react: Works with gettext style javascript translation
- term.js: Needs patches
The list is incomplete.