Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-65782

Content Security Policy (CSP) Vulnerabilities

    XMLWordPrintable

Details

    • 5
    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Hello,

      Recently I have been alerted to some security issues by our compliance teams. They have informed me of CSP issues on Confluence, essentially making it potentially susceptible to XSS attacks. To resolve this issue there has been a suggestion made. 

       Replace insecure traffic (served over HTTP) with secure traffic upgrade-insecure-requests. The default setting for all the -src directives. Preferred 'none', but 'self' or your CDN domain is fine.  - If not specified the default for all the *-src directives is `` default-src 'none’. Always configure, regardless of your `default-src` setting. Console services cannot use object, embed or applet elements. object-src 'none’.

      This is something that Confluence can fix to prevent this level of vulnerability. What other measures does this system take to help CSP issues?
       

      Attachments

        Issue Links

          mentioned in

          Page Loading...

          Activity

            People

              Unassigned Unassigned
              0c5b226ce5d2 Zuhair Bhatti
              Votes:
              16 Vote for this issue
              Watchers:
              18 Start watching this issue

              Dates

                Created:
                Updated: