Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-74253

When a script-src Content-Security-Policy is defined without unsafe-inline, Jira does not function

XMLWordPrintable

    • 2
    • 11
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Issue Summary

      When a script-src Content-Security-Policy is defined, Jira does not work unless the source unsafe-inline is provided.

      Implementing a script-src CSP can be considered important, as it minimises the risk of XSS attacks by blocking script execution via inline <script> blocks and attributes like onclick, onerror, and so forth.

      There are a number of inline script blocks present in Jira's front-end markup, and thus, to implement a script-src CSP that does not break these inline scripts, one would need to use unsafe-inline within the CSP, which permits Javascript execution within the page markup.

      Further reading: https://csper.io/blog/no-more-unsafe-inline

      Possible solutions

      • Dynamically generate the CSP and nonce values on the fly for inline scripts
      • Relocate inline scripts to JavaScript files, which would then pass the CSP

              Unassigned Unassigned
              allewellyn@atlassian.com Alex [Atlassian,PSE]
              Votes:
              5 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: