Security scanner reports insecure configurations of HTTP response header fields
Article ID: 320516
Updated On: 04-04-2024
Products
VMware Cloud Director
Issue/Introduction
- Security scanner report the header in Cloud Director UI is too permissible.
- Content-Security-Policy-header missing unsafe-inline and unsafe-eval in the default-src- and script-src definitions.
- In the Content-Security-Policy the following values were found for default-src and script-src parameters:
unsafe-inline
unsafe-eval
unsafe-eval
- Example of the security report below:
Content-Security-Policy reports the : default-src * data: blob: 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline';
- The solution suggested to establish a Content Security Policy is to first set the default-src to 'self' or ‘none’ and then build up the other directives as needed.
Environment
VMware Cloud Director 10.x
VMware Cloud Director for Service Provider 10.x
VMware Cloud Director for Service Provider 10.x
Resolution
This is a known issue with Cloud Director and requires a product change.
VMware Engineering plan on addressing this in a future release of Cloud Director.
VMware Engineering plan on addressing this in a future release of Cloud Director.
Feedback
Yes
No
Powered by
