<!-- 
RSS generated by JIRA (9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b) at Mon Feb 12 04:30:01 CET 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>Magnolia - Issue tracker</title>
    <link>https://jira.magnolia-cms.com</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-uk</language>    <build-info>
        <version>9.4.2</version>
        <build-number>940002</build-number>
        <build-date>19-01-2023</build-date>
    </build-info>


<item>
            <title>[MAGNOLIA-8141] Facilitate CSP headers configuration for projects</title>
                <link>https://jira.magnolia-cms.com/browse/MAGNOLIA-8141</link>
                <project id="10000" key="MAGNOLIA">Magnolia</project>
                    <description>&lt;p&gt;Currently, projects are on their own setting &lt;tt&gt;Content-Security-Policy&lt;/tt&gt; header (and adjacent -Report-Only), by manipulating the filter-chain, and adding a &lt;tt&gt;AddHeadersFilter&lt;/tt&gt;, as shown &lt;a href=&quot;https://docs.magnolia-cms.com/product-docs/6.2/Administration/Architecture/Request-processing-and-filters/Filters.html#_adding_http_headers&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;in the docs&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;This is error-prone, global to all sites, and supports only static behaviors with pre-configured fixed values. And is way too far from project (light) development.&lt;/p&gt;

&lt;p&gt;We should do the same as we did for CORS (&lt;a href=&quot;https://jira.magnolia-cms.com/browse/MAGNOLIA-7215&quot; title=&quot;CORS &amp;amp; OPTIONS Pre-flight support&quot; class=&quot;issue-link&quot; data-issue-key=&quot;MAGNOLIA-7215&quot;&gt;&lt;del&gt;MAGNOLIA-7215&lt;/del&gt;&lt;/a&gt; and &lt;a href=&quot;https://jira.magnolia-cms.com/browse/MGNLSITE-101&quot; title=&quot;Support CORS configuration for Sites&quot; class=&quot;issue-link&quot; data-issue-key=&quot;MGNLSITE-101&quot;&gt;&lt;del&gt;MGNLSITE-101&lt;/del&gt;&lt;/a&gt;):&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;Add a domain-specific &lt;tt&gt;CspFilter&lt;/tt&gt; implementation in core (impl-detail), capable of adding CSP (and CSPRO) headers based on filter self-config.&lt;/li&gt;
	&lt;li&gt;Extend it with a &lt;tt&gt;SiteAwareCspFilter&lt;/tt&gt; in site-module, reading &lt;tt&gt;CspConfiguration&lt;/tt&gt; from the &lt;tt&gt;Site&lt;/tt&gt; definition (clone ticket when doing so).&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;This will allow projects to set it in YAML site-defs (still done via site module-config decoration to this date).&lt;/p&gt;

&lt;p&gt;Out of scope:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;for editors to fill-in the values (too technical for them anyway)&lt;/li&gt;
	&lt;li&gt;HSTS (may clone ticket at convenience)&lt;/li&gt;
&lt;/ul&gt;


&lt;h4&gt;&lt;a name=&quot;Originaldescription%28cloudspecific%29fromdlopez&quot;&gt;&lt;/a&gt;Original description (cloud-specific) from &lt;a href=&quot;https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=dlopez&quot; class=&quot;user-hover&quot; rel=&quot;dlopez&quot;&gt;dlopez&lt;/a&gt;&lt;/h4&gt;

&lt;p&gt;The default CSP header value coming from magnolia-now-configuration (cloud bundle) doesn&apos;t work out for projects out of the box. As a matter of fact, the tendency is to switch it off.&lt;/p&gt;

&lt;p&gt;The topic is recurrent for any project doing penetration tests.&lt;/p&gt;</description>
                <environment></environment>
        <key id="82616">MAGNOLIA-8141</key>
            <summary>Facilitate CSP headers configuration for projects</summary>
                <type id="2" iconUrl="https://jira.magnolia-cms.com/secure/viewavatar?size=xsmall&amp;avatarId=10891&amp;avatarType=issuetype">New Feature</type>
                                            <priority id="6" iconUrl="https://jira.magnolia-cms.com/images/icons/priorities/neutral.gif">Neutral</priority>
                        <status id="10433" iconUrl="https://jira.magnolia-cms.com/images/icons/statuses/generic.png" description="This issue has been evaluated by development and accepted to be planned in.">Accepted</status>
                    <statusCategory id="2" key="new" colorName="default"/>
                                    <resolution id="-1">Unresolved</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="mgeljic">Mika&#235;l Gelji&#263;</reporter>
                        <labels>
                            <label>security</label>
                    </labels>
                <created>Fri, 27 Dec 2019 14:13:06 +0100</created>
                <updated>Mon, 2 Jan 2023 14:32:15 +0100</updated>
                                                                                <due></due>
                            <votes>0</votes>
                                    <watches>6</watches>
                                                                                                                <comments>
                            <comment id="212864" author="ejervidalo" created="Wed, 11 Mar 2020 11:15:39 +0100"  >&lt;p&gt;IMO, this ticket should be about enabling CSP header configurations outside of the FilterChain. Could we move the actual configuration to a module&apos;s config node and inject it into the Filter? This would allow light-development on a project basis. And this is something that needs to be adapted per project.&lt;/p&gt;

&lt;p&gt;And for suggestions. That&apos;s a nice to have, but not a necessity..&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10160">
                    <name>Relates</name>
                                            <outwardlinks description="relates to">
                                                        </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10021">
                    <name>duplicate</name>
                                                                <inwardlinks description="is duplicated by">
                                                        </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10010">
                    <name>relation</name>
                                            <outwardlinks description="is related to">
                                                        </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                            <customfield id="customfield_14166" key="com.okapya.jira.checklist:checklist">
                        <customfieldname>Acceptance criteria</customfieldname>
                        <customfieldvalues>
                            
        <checklist>
        <![CDATA[
                            




                
                                    <div class="o-completion" style="display: flex; flex-shrink: 0;"><span  class="aui-lozenge aui-lozenge-complete" style="font-size: 12px; font-weight: normal; display: flex; flex-direction: row; align-items: center;" ><span style="padding-right: 4px; vertical-align: middle;"><svg width="15" height="15" viewBox="0 0 15 15" xmlns="http://www.w3.org/2000/svg" fill="white"><path clip-rule="evenodd" d="m10.41037,3.42544l-7.86501,0c-0.72395,0 -1.31084,0.58688 -1.31084,1.31084l0,7.86508c0,0.7239 0.58689,1.3108 1.31084,1.3108l7.86501,0c0.724,0 1.3109,-0.5869 1.3109,-1.3108l0,-7.86508c0,-0.72396 -0.5869,-1.31084 -1.3109,-1.31084zm-7.86501,-0.65542c-1.08593,0 -1.96626,0.88032 -1.96626,1.96626l0,7.86508c0,1.0859 0.88033,1.9662 1.96626,1.9662l7.86501,0c1.086,0 1.9663,-0.8803 1.9663,-1.9662l0,-7.86508c0,-1.08594 -0.8803,-1.96626 -1.9663,-1.96626l-7.86501,0z" fill-rule="evenodd"/><path d="m5.09049,10.18526l-1.82767,-1.82766l-0.78479,0.78479l2.61246,2.61246l5.38758,-5.38754l-0.78483,-0.78479l-4.60275,4.60274z"/></svg></span><span>Empty</span></span></div>
                        ]]>
    </checklist>


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10111" key="com.atlassian.jira.toolkit:reporterdomain">
                        <customfieldname>Company</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>magnolia-cms.com</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10031" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Wed, 11 Mar 2020 11:15:39 +0100</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_12730" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_14151" key="com.atlassian.jira.toolkit:message">
                        <customfieldname>Docu info</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10246" key="com.pyxis.greenhopper.jira:gh-epic-link">
                        <customfieldname>Epic Link</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>CLOUD-4</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10061" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comm is not jira-dev</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10071" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last participant</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>asoto</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_13136" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            3 years, 48 weeks, 4 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10020" key="com.atlassian.jira.toolkit:attachments">
                        <customfieldname>Number of attachments</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10150" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname>Number of comments</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10011" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>ejervidalo</customfieldvalue>
            <customfieldvalue>mgeljic</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                <customfield id="customfield_10833" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|hzzxnu:0w4c9</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10244" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14145" key="com.intenso.jira.issue-templates:issue-templates-customfield">
                        <customfieldname>Template</customfieldname>
                        <customfieldvalues>
                            


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_15131" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Time in Discovery</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_13933" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Urgency (resolution)</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="15724"><![CDATA[Normal]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                </customfields>
    </item>
</channel>
</rss>