Support Content Security Policy (a.k.a CSP) to help protect against XSS

[mknauer]

Copy of Bugzilla bug 579074

If using a CSP header with RAP it would need to be configured with a CSP script-src directive with self, unsafe-inline, unsafe-eval.

Such a configurtion is very permissive and removes most of the security provided by CSP.

csp-evaluator.withgoogle.com allows to evaluate how a CSP configuration improves XSS protection and currently rates scripts-src values as follows:

• unsafe-inline as High severity:
  unsafe-inline allows the execution of unsafe in-page scripts and event handlers.
• self as Possible medium severity finding:
  self can be problematic if you host JSONP, Angular or user uploaded files.
• unsafe-eval as Possible medium severity finding:
  unsafe-eval allows the execution of code injected into DOM APIs such as eval().

Ideally the script-src tag should not be configured with any of unsafe-inline, self, or unsafe-eval.

• unsafe-inline is required because org.eclipse.rap.rwt.internal.service.StartupPage generates a script element with inline code.
• self is required because org.eclipse.rap.rwt.internal.service.StartupPage generates a script element with a src from server.
• unsafe-eval is required because RAP uses the eval() function for several features (Browser widget, client scripting and JavaScriptExecutor, BrowserFunction).

The proposed enhancement is to support configuring RWTServlet to generate a "strict" CSP header:

When CSP generation is enabled RWTServlet.sendStartupContent would:

• generate a nonce on request
• add a CSP header to the response: Content-Security-Policy: default-src 'self'; script-src nonce-<generatedvalue> 'unsafe-eval'; style-src 'self' 'unsafe-inline'
• pass the generated nonce to the StartupPage so that it can append the nonce to the <script> elements.

Additionally:

• RWTServlet could be configured to remove unsafe-eval from the src-script.
  In such a situation RAP features relying on JavaScript eval() would become unusable.
• RWTServlet could be configured to add other CSP directives like frame-ancestors

[mknauer]

For the complete discussion around the implementation, please read bug 579074 in Bugzilla before the GitHub migration.

The feature has been implemented with

• commit 51e9303 (Add possibility to set Content Security Policy) and with
• commit 74ad8f5 (Eliminate "new Function()" calls in JS client).

[mknauer]

Added the ability to set a Content Security Policy (string with directives) to the RAP application. The implementation is based on the script nonce attribute, whereby only allowed scripts are executed.

Content-Security-Policy: script-src 'nonce-2726c7f26c'

A dynamically generated nonce value will be added at runtime. Use 'nonce-' in your script-src directive. Example of CSP:

script-src 'strict-dynamic' 'nonce-' http: https:; object-src 'none'; base-uri 'none';

For a workbench application, the CSP can be set in a new csp attribute of the entrypoint extension in plugin.xml. In other cases, use the new org.eclipse.rap.rwt.client.WebClient.CSP property when defining an entrypoint in the ApplicationConfiguration.

public class MyApplication implements ApplicationConfiguration {

  public void configure( Application application ) {
    Map properties = new HashMap();
    ...
    properties.put( WebClient.CSP, "script-src 'strict-dynamic' 'nonce-' http: https:; object-src 'none'; base-uri 'none';" );
    application.addEntryPoint( "/", MyApp.class, properties );
  }
}

Note: Without 'unsafe-eval' in your CSP script-src directive, the following RAP features will not work:

• org.eclipse.swt.browser.Browser.execute(String)
• org.eclipse.swt.browser.Browser.evaluate(String)
• org.eclipse.swt.browser.Browser.evaluate(String, BrowserCallback)
• org.eclipse.swt.browser.BrowserFunction
• org.eclipse.rap.rwt.scripting.ClientListener
• org.eclipse.rap.rwt.client.service.JavaScriptExecutor