|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (28 fixed, 14 open).
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (29 fixed, 13 open).
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -1977,6 +1977,24 @@
|
|
|
`payment`, `usb`, `magnetometer`, `gyroscope`, `accelerometer`,
|
|
|
`fullscreen`, `display-capture`, `clipboard-read`, etc.
|
|
|
- **Severity: 1**
|
|
|
+- **Status:** Fixed. The narrow `geolocation=(), microphone=(),
|
|
|
+ camera=()` was extended to a full deny-list of every browser
|
|
|
+ feature the admin UI doesn't use:
|
|
|
+ `accelerometer`, `ambient-light-sensor`, `autoplay`, `battery`,
|
|
|
+ `bluetooth`, `camera`, `clipboard-read`, `display-capture`,
|
|
|
+ `encrypted-media`, `fullscreen`, `gamepad`, `geolocation`,
|
|
|
+ `gyroscope`, `hid`, `idle-detection`, `interest-cohort` (FLoC),
|
|
|
+ `magnetometer`, `microphone`, `midi`, `payment`,
|
|
|
+ `picture-in-picture`, `screen-wake-lock`, `serial`,
|
|
|
+ `speaker-selection`, `usb`, `web-share`, `xr-spatial-tracking`.
|
|
|
+ `clipboard-write` is left at its same-origin default on the UI
|
|
|
+ Caddyfile so the existing `rawTokenCopy` Alpine component on the
|
|
|
+ Tokens page can still write the freshly-issued raw token to the
|
|
|
+ clipboard; the api Caddyfile denies `clipboard-write` outright
|
|
|
+ because the api never serves a page that needs it. Both
|
|
|
+ Caddyfiles validated with `frankenphp validate --adapter
|
|
|
+ caddyfile -e APP_ENV=production` — both report "Valid
|
|
|
+ configuration".
|
|
|
|
|
|
### F62 — CSP `style-src 'unsafe-inline'` enables CSS-attribute-selector exfiltration
|
|
|
- **File:** `ui/docker/Caddyfile:33`
|
chiappa