Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow loading images from any source #4537

Merged
merged 1 commit into from Feb 23, 2019

Conversation

Projects
None yet
1 participant
@ProTip
Copy link
Contributor

ProTip commented Feb 23, 2019

Is this a bugfix, or an enhancement? Please describe.
The introduction of CSP headers in #4405 has caused a situation where loading images, among other things, from different sources requires updating the header configs. For users with custom images in their README and MOTD markdowns, as well as our Tour functionality, this has resulted in surprising behavior.

Describe the solution you've implemented
I have allowed images to be loaded from any source by default. This is a low risk default and will prevent surprises and constant updating of defaults on new releases..

Describe alternatives you've considered
I considered disabling CSP headers by default to revert all behavior. The downside to this is that form-action: self is a very good default as it effectively breaks insecure setups posting to HTTP from HTTPS when a reverse proxy is not sending X-Fowarded-Proto. A lot of people were and would unknowingly be posting login data over HTTPS.

@ProTip ProTip added this to the 3.0.16 milestone Feb 23, 2019

@ProTip ProTip merged commit 7a404b7 into master Feb 23, 2019

18 of 19 checks passed

continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
security/snyk - build.gradle (rundeck) No manifest changes detected
security/snyk - core/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/copyfile-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/flow-control-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/git-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/jasypt-encryption-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/job-state-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/localexec-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/orchestrator-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/script-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/source-refresh-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/stub-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - plugins/upvar-plugin/build.gradle (rundeck) No manifest changes detected
security/snyk - rundeck-storage/build.gradle (rundeck) No manifest changes detected
security/snyk - rundeckapp/build.gradle (rundeck) No manifest changes detected
security/snyk - rundeckapp/grails-spa/package.json (rundeck) No manifest changes detected
security/snyk - rundeckapp/metricsweb/build.gradle (rundeck) No manifest changes detected
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.