fix: Changes NGINX Content-Security-Policy configuration to allow dat…

…a urls as image src and adds `data:` to the forbidden keywords.

Co-authored-by: Jens Kutzsche <github@gebea.de>
PR #862

infrastructure/dev/nginx/iris-client.conf.template

@@ -40,7 +40,7 @@ server {
     # X Frame Options - no iframes allowed
     add_header X-Frame-Options DENY;
     # Content Security Policy - no iframes or external resources allowed
-    add_header Content-Security-Policy "default-src 'self'; child-src 'none'; frame-ancestors 'none';";
+    add_header Content-Security-Policy "default-src 'self'; child-src 'none'; frame-ancestors 'none'; object-src 'none'; img-src 'self' data:;";
     # X-XSS-Protection - legacy, should be covered by CSP
     add_header X-XSS-Protection "1; mode=block";
     # Referrer-Policy

infrastructure/docker/nginx/config/templates/iris-client.conf.template

@@ -54,7 +54,7 @@ server {
     # X Frame Options - no iframes allowed
     add_header X-Frame-Options DENY;
     # Content Security Policy - no iframes or external resources allowed
-    add_header Content-Security-Policy "default-src 'self'; child-src 'none'; frame-ancestors 'none';";
+    add_header Content-Security-Policy "default-src 'self'; child-src 'none'; frame-ancestors 'none'; object-src 'none'; img-src 'self' data:;";
     # X-XSS-Protection - legacy, should be covered by CSP
     add_header X-XSS-Protection "1; mode=block";
     # Referrer-Policy

iris-client-bff/src/main/java/iris/client_bff/core/validation/AttackDetector.java

@@ -95,6 +95,7 @@ public interface MessageDataPayload extends Payload {}
 	private static final String[][] FORBIDDEN_KEYWORD_TUPLES = {
 			{ "<SCRIPT" },
 			{ "JAVASCRIPT:" },
+			{ "DATA:" },
 			{ "SELECT", "FROM" },
 			{ "INSERT", "INTO" },
 			{ "UPDATE", "SET" },