The use of 'unsafe-inline' or 'unsafe-eval' or '*' in the Content-Security-Policy lines of manifest.json files is the equivalent of 'setenforce 0'.
http://cockpit-project.org/guide/latest/packages.html#package-manifest
It's not okay to disable this security measure for code included in the Cockpit codebase. This security measure prevents XSS, code-injection and other security attacks.
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
To bring this closer to home, the following aren't allowed:
* onclick='...' attributes -> Attach event handlers from javascript instead.
* <script> ... </script> inline scripts -> Include a script file rather than inline scripts
* <style> ... </style> inline CSS -> Include this in your CSS file rather than inline
* style='...' attributes -> Use your CSS file or javascript to set dynamic styles
* eval() or Function() -> Never evaluate javascript directly
By default Cockpit will refuse to allow them in loaded pages or javascript ... and we shouldn't use 'unsafe-inline' or 'unsafe-eval' in the manifest.json file to bypass this.
I've added some testing so that such code in the Cockpit repository will be detected.
https://github.com/cockpit-project/cockpit/pull/7391
Happy hacking,
Stef
cockpit-devel@lists.fedorahosted.org