ZAP Scan on Argo Workflow UI reports CSP: script-src unsafe-inline & CSP: style-src unsafe-inline #12671
Replies: 1 comment 3 replies
-
|
cc @agilgur5 do you know? |
Beta Was this translation helpful? Give feedback.
-
|
I only looked at briefly so far at #2971 etc (note my reaction to the opening comment and labeling -- I'd have assigned myself if I could have, but this is a discussion, not an issue). |
Beta Was this translation helpful? Give feedback.
-
|
@agilgur5 Should I convert this into an issue? I thought of first asking here to know if it's done intentionally (incase some functionalities in UI do not work if this is not set) |
Beta Was this translation helpful? Give feedback.
-
|
Technically it should be a private, draft security disclosure 😅 Then we'd investigate to see what the ramifications would be and if any patches are necessary therein or if it's a false positive etc. That would likely effectively end up on my plate anyway though (as a UI and Security SME). |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
We have scanned Argo workflow UI using OWASP ZAP
CSP reported is
default-src 'self' 'unsafe-inline'; img-src 'self'ZAP tool reports this as a security issue.
Could you please provide some context on why this is set in the Argo Workflow UI?
References:
https://content-security-policy.com/unsafe-inline/
feat(ui): Enable CSP, HSTS, X-Frame-Options. Fixes #2760, #1376, #276… · argoproj/argo-workflows@9f86a4e (github.com)
Beta Was this translation helpful? Give feedback.
All reactions