Hi Support,
I’d like to see your advise on enable Content-Security-Policy to CUBA Application.
I’ve added Content-Security-Policy on CUBA default Tomcat but it shows blank page.
Regards,
CK
Hi Support,
I’d like to see your advise on enable Content-Security-Policy to CUBA Application.
I’ve added Content-Security-Policy on CUBA default Tomcat but it shows blank page.
Regards,
CK
Hi,
The provided Vaadin forum topic leads to the Vaadin GitHub issue regarding CSP that is closed because:
The reason for closing is that this is something that simply cannot be fixed without lots and lots of compromises.
Also, in the provided Vaadin forum topic discusses some workarounds:
Another way could be use a
BootstrapListener
to add anonce
attribute to allscript
andstyle
tags and addscript-src 'nonce-xxxxxxxx'
policy.
The example of custom BootstrapListener can be found here.
Regards,
Gleb
Hi,
For sharing, sample coding for CustomBoostrap and CSP Rules.
@Component(CustomBootstrapListener.NAME)
public class CustomBootstrapListener implements BootstrapListener {
Preformatted textpublic static final String NAME = “test_CustomBootstrapListener”;
@Override
public void modifyBootstrapFragment(BootstrapFragmentResponse response) {
}
@Override
public void modifyBootstrapPage(BootstrapPageResponse response) {
response.setHeader(“Content-Security-Policy”, “script-src ‘unsafe-inline’ ‘unsafe-eval’ *; style-src ‘unsafe-inline’ *”);
}
}
Supporting links for security
Regards,
CK