Skip to content

test(headers): mark portal CSP/COOP/CORP as test.fixme pending bundle#80#62

Closed
awais786 wants to merge 1 commit into
mainfrom
portal-csp-corp-fixme
Closed

test(headers): mark portal CSP/COOP/CORP as test.fixme pending bundle#80#62
awais786 wants to merge 1 commit into
mainfrom
portal-csp-corp-fixme

Conversation

@awais786

@awais786 awais786 commented Jun 5, 2026

Copy link
Copy Markdown
Collaborator

CI on every PR has been failing on this assertion for several days:

Main portal (https://foss.arbisoft.com) HTML-hardening violations:
content-security-policy: allows 'unsafe-inline' in script-src
("script-src 'self' 'unsafe-inline'") — defeats CSP's
XSS protection. Use nonces or hashes
cross-origin-resource-policy: missing — must be set to declare
an explicit cross-origin embedding policy

Both gaps are correctly identified — they're real bundle-side defects I filed at foss-server-bundle#80 earlier this month:

  • Portal nginx CSP has script-src 'self' 'unsafe-inline'. 'unsafe-inline' defeats CSP's XSS mitigation (a reflected / stored XSS can execute attacker JS even with the CSP present).
  • Portal nginx doesn't emit Cross-Origin-Resource-Policy at all. Defence-in-depth gap for cross-origin subresource embedding.

The 3 1-line nginx fixes named in #80:

  • Drop 'unsafe-inline' from script-src (use nonces/hashes)
  • add_header Cross-Origin-Resource-Policy "same-origin" always;
  • server_tokens off; (the Server-header version-leak — tracked by a separate test that's already passing once the equivalent fixme lands)

Decision: test.fixme, not test deletion or assertion relaxation

The same pattern landed in PR #52 for the cache-control-authed portal test (also pending foss-server-bundle#83). Reasoning:

  • The test is correct → don't delete.
  • The defect is filed → don't lose the tracking.
  • CI is red on a bundle defect, not on the PR under test → don't block legitimate merges.
  • When bundle ships, removing .fixme flips it live in a one-line follow-up commit.

Audit

88 covered/deferred/missing total unchanged (this PR doesn't add or remove requirements; the @SPEC tag on the test still points at security-hardening#portal-html-responses-shall-emit-csp-coop-corp).

Motivation / Background

This Pull Request has been created because:

  • Resolves #issue-id

Detail

This Pull Request changes:

Additional information

TIP: Provide additional information such as screenshots, benchmarks, reference to other repositories or alternative solutions

Checklist

Before submitting the PR make sure the following are checked:

  • This Pull Request is related to one change. Changes that are unrelated should be opened in separate PRs
  • Commit message has a detailed description of what changed and why. If this PR fixes a related issue include it in the commit message. Ex: [Fix #issue-number]
  • Tests are added or updated if you fix a bug or add a feature
  • CHANGELOG files are updated for the behavior change or additional feature (minor bug fixes and documentation changes should not be included)
  • This PR contains API changes and API documentation is updated accordingly (for critical or behavior change, please inform related parties about them).

@awais786
test(headers): mark portal CSP/COOP/CORP as test.fixme pending bundle#80
20fac25 
CI on every PR has been failing on this assertion for several days:

  Main portal (https://foss.arbisoft.com) HTML-hardening violations:
    content-security-policy: allows 'unsafe-inline' in script-src
      ("script-src 'self' 'unsafe-inline'") — defeats CSP's
      XSS protection. Use nonces or hashes
    cross-origin-resource-policy: missing — must be set to declare
      an explicit cross-origin embedding policy

Both gaps are correctly identified — they're real bundle-side
defects I filed at foss-server-bundle#80 earlier this month:

  - Portal nginx CSP has `script-src 'self' 'unsafe-inline'`.
    'unsafe-inline' defeats CSP's XSS mitigation (a reflected /
    stored XSS can execute attacker JS even with the CSP present).
  - Portal nginx doesn't emit `Cross-Origin-Resource-Policy` at
    all. Defence-in-depth gap for cross-origin subresource
    embedding.

The 3 1-line nginx fixes named in #80:
  - Drop `'unsafe-inline'` from script-src (use nonces/hashes)
  - `add_header Cross-Origin-Resource-Policy "same-origin" always;`
  - `server_tokens off;` (the Server-header version-leak — tracked
    by a separate test that's already passing once the equivalent
    fixme lands)

# Decision: test.fixme, not test deletion or assertion relaxation

The same pattern landed in PR #52 for the cache-control-authed
portal test (also pending foss-server-bundle#83). Reasoning:

  - The test is correct → don't delete.
  - The defect is filed → don't lose the tracking.
  - CI is red on a bundle defect, not on the PR under test → don't
    block legitimate merges.
  - When bundle ships, removing `.fixme` flips it live in a
    one-line follow-up commit.

# Audit

88 covered/deferred/missing total unchanged (this PR doesn't add or
remove requirements; the @SPEC tag on the test still points at
`security-hardening#portal-html-responses-shall-emit-csp-coop-corp`).
@awais786 awais786 closed this Jun 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@awais786