Details
-
Task
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
15.6.0
-
None
-
Flagged
-
Orion
-
Orion.Cycle6.Sprint
-
Undetermined
Description
If a user disables usage statistics and they want to remove all the domains related with it from the Content Security Policy (CSP), most of them can be removed in the CSP configuration in the repository. Only not the domain hippocdn.global.ssl.fastly.net because it's hard-coded in the CSP.
When usage statistics is disabled the https://hippocdn.global.ssl.fastly.net/s/15.6.0/2024-6-1/cms.js third party script is not loaded. So the domain hippocdn.global.ssl.fastly.net is not needed in the CSP. It's also not used somewhere else.
Bloomreach Experience Manager and the Wicket framework it uses only do calls to the same origin.
The exception to this is the inclusion of the cms.js script hosted at hippocdn.global.ssl.fastly.net, which is used for usage statistics, and the subsequent calls it makes to include scripts from segment.com and the enabled integrations in there. Yet all those are trusted origins. The inclusion of the cms.js script can also be prevented by disabling usage statistics.
Reference: https://xmdocumentation.bloomreach.com/about/security-3rd-party-vulnerabilities.html
It would be really nice if the hippocdn.global.ssl.fastly.net domain is configured in the CSP configuration and not hard-coded in the CSP.
- https://xmdocumentation.bloomreach.com/library/concepts/usage-statistics/usage-statistics.html
- https://xmdocumentation.bloomreach.com/library/concepts/security/content-security-policy.html
- https://xmdocumentation.bloomreach.com/about/security-3rd-party-vulnerabilities.html
- https://issues.onehippo.com/browse/CMS-14041
Default CSP:
{{content-security-policy: default-src 'none';
script-src 'self' 'unsafe-inline' 'unsafe-eval' hippocdn.global.ssl.fastly.net app.pendo.io cdn.pendo.io cdn.segment.com data.pendo.io pendo-io-static.storage.googleapis.com pendo-static-5285379033268224.storage.googleapis.com maps.googleapis.com;
style-src 'self' 'unsafe-inline' app.pendo.io cdn.pendo.io pendo-static-5285379033268224.storage.googleapis.com storage.googleapis.com/pendo-static-5285379033268224/ fonts.googleapis.com/css;
img-src 'self' data: app.pendo.io cdn.pendo.io data.pendo.io pendo-static-5285379033268224.storage.googleapis.com storage.googleapis.com/pendo-static-5285379033268224/ maps.googleapis.com maps.gstatic.com data:;
connect-src 'self' app.pendo.io data.pendo.io pendo-static-5285379033268224.storage.googleapis.com maps.googleapis.com;
font-src 'self';
manifest-src 'self';
child-src 'self';
frame-ancestors 'self' app.pendo.io;
base-uri 'self';
frame-src 'self' app.pendo.io bloomreach-products.auth0.com bloomreach-dev.us.auth0.com tools.bloomreach.com tools.bloomreach.co.uk tools-staging.bloomreach.com tools-staging.bloomreach.co.uk tools-dev.bloomreach.com tools-dev.bloomreach.co.uk tools-sandbox.bloomreach.com tools-sandbox.bloomreach.co.uk}}
Testing
In the Network tab in Chrome, check that in the Response header of the request
/cms/?1
contains the value hippocdn.global.ssl.fastly.net in script-src.
Then, open the console and check that the property:
/hippo:configuration/hippo:modules/application-settings/hippo:moduleconfig/content-security-policy.
contains hippocdn.global.ssl.fastly.net in script-src.
Follow the steps described in https://xmdocumentation.bloomreach.com/library/concepts/usage-statistics/usage-statistics.html to disable Usage statistics. After you disable usage statistics, remove hippocdn.global.ssl.fastly.net in script-src.
Check that everything works fine.