Merge pull request #88802 from openshift-cherrypick-robot/cherry-pick-88593-to-enterprise-4.18

opayne1 · web-flow · commit 17b4c9c45732 · 2025-02-18T11:29:38.000-05:00
[enterprise-4.18] OSDOCS#13072:Adds Content Security Policy for web console
diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
@@ -886,6 +886,8 @@ Topics:
     File: dynamic-plugins-get-started
   - Name: Deploy your plugin on a cluster
     File: deploy-plugin-cluster
+  - Name: Content Security Policy
+    File: content-security-policy
   - Name: Dynamic plugin example
     File: dynamic-plugin-example
   - Name: Dynamic plugin reference
diff --git a/modules/csp-overview.adoc b/modules/csp-overview.adoc
@@ -0,0 +1,36 @@
+// Module included in the following assemblies:
+//
+// * web_console/dynamic-plugin/content-security-policy.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="content-security-policy-overview_{context}"]
+= Content Security Policy (CSP) overview
+
+A Content Security Policy (CSP) is delivered to the browser in the `Content-Security-Policy-Report-Only` response header. The policy is specified as a series of directives and values. Each directive type serves a different purpose, and each directive can have a list of values representing allowed sources.
+
+[id="content-security-policy-key-features_{context}"]
+== Key features of `contentSecurityPolicy`
+
+[discrete]
+=== Directive Types
+
+The supported directive types include `DefaultSrc`, `ScriptSrc`, `StyleSrc`, `ImgSrc`, and `FontSrc`. These directives allow you to specify valid sources for loading different types of content for your plugin. Each directive type serves a different purpose. For example, `ScriptSrc` defines valid JavaScript sources, while `ImgSrc` controls where images can be loaded from.
+
+//backporting the ConnectSrc directive, but that is tbd - openshift/console#14701 and https://github.com/openshift/api/pull/2164
+
+
+[discrete]
+=== Values
+
+Each directive can have a list of values representing allowed sources. For example, `ScriptSrc` can specify multiple external scripts. These values are restricted to 1024 characters and cannot include whitespace, commas, or semicolons. Additionally, single-quoted strings and wildcard characters (`*`) are disallowed.
+
+[discrete]
+=== Unified Policy
+
+The {product-title} web console aggregates the CSP directives across all enabled `ConsolePlugin` custom resources (CRs) and merges them with its own default policy. The combined policy is then applied with the `Content-Security-Policy-Report-Only` HTTP response header.
+
+[discrete]
+=== Validation Rules
+* Each directive can have up to 16 unique values.
+* The total size of all values across directives must not exceed 8192 bytes (8KB).
+* Each value must be unique, and additional validation rules are in place to ensure no quotes, spaces, commas, or wildcard symbols are used.
diff --git a/web_console/dynamic-plugin/content-security-policy.adoc b/web_console/dynamic-plugin/content-security-policy.adoc
@@ -0,0 +1,25 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="content-security-policy_{context}"]
+= Content Security Policy (CSP)
+include::_attributes/common-attributes.adoc[]
+:context: content-security-policy
+
+toc::[]
+
+You can specify Content Security Policy (CSP) directives for your dynamic plugin using the `contentSecurityPolicy` field in the `ConsolePluginSpec` file. This field helps mitigate potential security risks by specifying which sources are allowed for fetching content like scripts, styles, images, and fonts. For dynamic plugins that require loading resources from external sources, defining custom CSP rules ensures secure integration into the {product-title} console.
+
+[IMPORTANT]
+====
+The console currently uses the `Content-Security-Policy-Report-Only` response header, so the browser will only warn about CSP violations in the web console and enforcement of CSP policies will be limited. CSP violations will be logged in the browser console, but the associated CSP directives will not be enforced. This feature is behind a `feature-gate`, so you will need to manually enable it.
+
+For more information, see xref:../../nodes/clusters/nodes-cluster-enabling-features.adoc#nodes-cluster-enabling-features-console_nodes-cluster-enabling[Enabling feature sets using the web console].
+====
+
+include::modules/csp-overview.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="content-security-policy_additional-resources"]
+== Additional resources
+
+* link:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy[Content Security Policy (CSP)]
+
diff --git a/web_console/dynamic-plugin/dynamic-plugin-example.adoc b/web_console/dynamic-plugin/dynamic-plugin-example.adoc
@@ -8,4 +8,4 @@ toc::[]
 
 Before working through the example, verify that the plugin is working by following the steps in xref:../../web_console/dynamic-plugin/dynamic-plugins-get-started.adoc#dynamic-plugin-development_dynamic-plugins-get-started[Dynamic plugin development]
 
-include::modules/adding-tab-pods-page.adoc[leveloffset=+1]
+include::modules/adding-tab-pods-page.adoc[leveloffset=+1]

Original file line number	Diff line number	Diff line change
`@@ -8,4 +8,4 @@ toc::[]`
`8`	`8`
`9`	`9`	`Before working through the example, verify that the plugin is working by following the steps in xref:../../web_console/dynamic-plugin/dynamic-plugins-get-started.adoc#dynamic-plugin-development_dynamic-plugins-get-started[Dynamic plugin development]`
`10`	`10`
`11`		`-include::modules/adding-tab-pods-page.adoc[leveloffset=+1]`
	`11`	`+include::modules/adding-tab-pods-page.adoc[leveloffset=+1]`