New security option csp

#1

Hey all,

we did experience issues with the loading of librarys from the web in our own adjusted JS view nodes in the browsers.
“Content Security Policy: The page’s settings observed the loading of a resource at …”

I understood from KNIME this is related to a new setting under KNIME Server Version 4.8.1:
The following new configuration options have been added:

    • com.knime.server.csp-report-only
    • com.knime.server.webportal.csp

So far I managed to switch that to the report only and not to block content anymore.

I assume I can switch it completely off via the second option, but I found no example how to. I assume false does not work here.

I assume that our NGINX is doing that CSP stuff already and the KNIME Server does not need to have that twice.

Thank you!
Lars

PS. Maybe you could also provide examples for the second option.

0 Likes

#2

Hi Lars,

You need to construct an appropriate CSP declaration and provide it to our server configuration option. The default value is

default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' 'self'; style-src 'unsafe-inline' 'self'; img-src 'self' data:;

The new value must not be more restrictive otherwise the WebPortal will not work properly any more.

Cheers,
Roland

0 Likes

#3

Hi Roland,

many thanks!

My issue is for example Content Security Policy: The page’s settings observed the loading of a resource at https://unpkg.com/leaflet@1.3.1/dist/leaflet.js (“script-src”).

From what I read it should then look like this in the knime file:

com.knime.server.webportal.csp: default-src 'self' https://unpkg.com/leaflet@1.3.1/*; script-src 'unsafe-inline' 'unsafe-eval' 'self' https://unpkg.com/leaflet@1.3.1/; style-src 'unsafe-inline' 'self'; img-src 'self' data:;

Is that the way it should look? I want to assure, that the defined library can be accessed and not the whole database.

Lars

0 Likes

#4

Hi Lars,

it appears that you can only allow whole domains, and not individual files. Therefore the CSP should look like

default-src 'self' unpkg.com; script-src 'unsafe-inline' 'unsafe-eval' 'self' unpkg.com; style-src 'unsafe-inline' 'self'; img-src 'self' data:;

Cheers,
Roland

0 Likes

#5

Thanks a lot.

And how do I switch it completely off?

0 Likes

#6

Hi Lars,

It’s not possible to disable CSP. However, if you are running behing nginx anyway, you can simply remove the header there.

Cheers,
Roland

0 Likes

closed #7

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

0 Likes