diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index e1921c7662a6..b7ed85fab449 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -886,6 +886,8 @@ Topics: File: dynamic-plugins-get-started - Name: Deploy your plugin on a cluster File: deploy-plugin-cluster + - Name: Content Security Policy + File: content-security-policy - Name: Dynamic plugin example File: dynamic-plugin-example - Name: Dynamic plugin reference diff --git a/modules/csp-overview.adoc b/modules/csp-overview.adoc new file mode 100644 index 000000000000..1282dfe2b8be --- /dev/null +++ b/modules/csp-overview.adoc @@ -0,0 +1,36 @@ +// Module included in the following assemblies: +// +// * web_console/dynamic-plugin/content-security-policy.adoc + +:_mod-docs-content-type: CONCEPT +[id="content-security-policy-overview_{context}"] += Content Security Policy (CSP) overview + +A Content Security Policy (CSP) is delivered to the browser in the `Content-Security-Policy-Report-Only` response header. The policy is specified as a series of directives and values. Each directive type serves a different purpose, and each directive can have a list of values representing allowed sources. + +[id="content-security-policy-key-features_{context}"] +== Key features of `contentSecurityPolicy` + +[discrete] +=== Directive Types + +The supported directive types include `DefaultSrc`, `ScriptSrc`, `StyleSrc`, `ImgSrc`, and `FontSrc`. These directives allow you to specify valid sources for loading different types of content for your plugin. Each directive type serves a different purpose. For example, `ScriptSrc` defines valid JavaScript sources, while `ImgSrc` controls where images can be loaded from. + +//backporting the ConnectSrc directive, but that is tbd - openshift/console#14701 and https://github.com/openshift/api/pull/2164 + + +[discrete] +=== Values + +Each directive can have a list of values representing allowed sources. For example, `ScriptSrc` can specify multiple external scripts. These values are restricted to 1024 characters and cannot include whitespace, commas, or semicolons. Additionally, single-quoted strings and wildcard characters (`*`) are disallowed. + +[discrete] +=== Unified Policy + +The {product-title} web console aggregates the CSP directives across all enabled `ConsolePlugin` custom resources (CRs) and merges them with its own default policy. The combined policy is then applied with the `Content-Security-Policy-Report-Only` HTTP response header. + +[discrete] +=== Validation Rules +* Each directive can have up to 16 unique values. +* The total size of all values across directives must not exceed 8192 bytes (8KB). +* Each value must be unique, and additional validation rules are in place to ensure no quotes, spaces, commas, or wildcard symbols are used. \ No newline at end of file diff --git a/web_console/dynamic-plugin/content-security-policy.adoc b/web_console/dynamic-plugin/content-security-policy.adoc new file mode 100644 index 000000000000..a5373dd458b4 --- /dev/null +++ b/web_console/dynamic-plugin/content-security-policy.adoc @@ -0,0 +1,25 @@ +:_mod-docs-content-type: ASSEMBLY +[id="content-security-policy_{context}"] += Content Security Policy (CSP) +include::_attributes/common-attributes.adoc[] +:context: content-security-policy + +toc::[] + +You can specify Content Security Policy (CSP) directives for your dynamic plugin using the `contentSecurityPolicy` field in the `ConsolePluginSpec` file. This field helps mitigate potential security risks by specifying which sources are allowed for fetching content like scripts, styles, images, and fonts. For dynamic plugins that require loading resources from external sources, defining custom CSP rules ensures secure integration into the {product-title} console. + +[IMPORTANT] +==== +The console currently uses the `Content-Security-Policy-Report-Only` response header, so the browser will only warn about CSP violations in the web console and enforcement of CSP policies will be limited. CSP violations will be logged in the browser console, but the associated CSP directives will not be enforced. This feature is behind a `feature-gate`, so you will need to manually enable it. + +For more information, see xref:../../nodes/clusters/nodes-cluster-enabling-features.adoc#nodes-cluster-enabling-features-console_nodes-cluster-enabling[Enabling feature sets using the web console]. +==== + +include::modules/csp-overview.adoc[leveloffset=+1] + +[role="_additional-resources"] +[id="content-security-policy_additional-resources"] +== Additional resources + +* link:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy[Content Security Policy (CSP)] + diff --git a/web_console/dynamic-plugin/dynamic-plugin-example.adoc b/web_console/dynamic-plugin/dynamic-plugin-example.adoc index d8056a32d29b..67fa72d4b26b 100644 --- a/web_console/dynamic-plugin/dynamic-plugin-example.adoc +++ b/web_console/dynamic-plugin/dynamic-plugin-example.adoc @@ -8,4 +8,4 @@ toc::[] Before working through the example, verify that the plugin is working by following the steps in xref:../../web_console/dynamic-plugin/dynamic-plugins-get-started.adoc#dynamic-plugin-development_dynamic-plugins-get-started[Dynamic plugin development] -include::modules/adding-tab-pods-page.adoc[leveloffset=+1] +include::modules/adding-tab-pods-page.adoc[leveloffset=+1] \ No newline at end of file