New security option csp

laval · April 10, 2019, 1:45pm

Hey all,

we did experience issues with the loading of librarys from the web in our own adjusted JS view nodes in the browsers.
“Content Security Policy: The page’s settings observed the loading of a resource at …”

I understood from KNIME this is related to a new setting under KNIME Server Version 4.8.1:
The following new configuration options have been added:

- com.knime.server.csp-report-only
- com.knime.server.webportal.csp

So far I managed to switch that to the report only and not to block content anymore.

I assume I can switch it completely off via the second option, but I found no example how to. I assume false does not work here.

I assume that our NGINX is doing that CSP stuff already and the KNIME Server does not need to have that twice.

Thank you!
Lars

PS. Maybe you could also provide examples for the second option.

RolandBurger · April 12, 2019, 11:13am

Hi Lars,

You need to construct an appropriate CSP declaration and provide it to our server configuration option. The default value is

default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' 'self'; style-src 'unsafe-inline' 'self'; img-src 'self' data:;

The new value must not be more restrictive otherwise the WebPortal will not work properly any more.

Cheers,
Roland

laval · April 12, 2019, 11:48am

Hi Roland,

many thanks!

My issue is for example Content Security Policy: The page’s settings observed the loading of a resource at https://unpkg.com/leaflet@1.3.1/dist/leaflet.js (“script-src”).

From what I read it should then look like this in the knime file:

com.knime.server.webportal.csp: default-src 'self' https://unpkg.com/leaflet@1.3.1/*; script-src 'unsafe-inline' 'unsafe-eval' 'self' https://unpkg.com/leaflet@1.3.1/; style-src 'unsafe-inline' 'self'; img-src 'self' data:;

Is that the way it should look? I want to assure, that the defined library can be accessed and not the whole database.

Lars

RolandBurger · April 12, 2019, 2:16pm

Hi Lars,

it appears that you can only allow whole domains, and not individual files. Therefore the CSP should look like

default-src 'self' unpkg.com; script-src 'unsafe-inline' 'unsafe-eval' 'self' unpkg.com; style-src 'unsafe-inline' 'self'; img-src 'self' data:;

Cheers,
Roland

laval · April 12, 2019, 3:49pm

Thanks a lot.

And how do I switch it completely off?

RolandBurger · April 16, 2019, 7:48am

Hi Lars,

It’s not possible to disable CSP. However, if you are running behing nginx anyway, you can simply remove the header there.

Cheers,
Roland

system · April 23, 2019, 7:48am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.