OCPBUGS-77931: Loosen default img-src CSP

[logonoff]

Analysis / Root cause:

Changes the default img-src CSP from self data: to self https: data:.

There are multiple places where we explicitly allow icons any origin (e.g., helm charts, devfiles, templates, topology). Enforcing icons be data-uri only would be very difficult to achieve upstream, and proxying the icons would introduce SSRF risks.

Solution description:

I can imagine a few risks to this (e.g., IP fingerprinting, exposure to potential zero-days in browsers rendering images) but we already have these troubles today (as we're in report-only mode) and there have been no reported CVEs yet..

I've changed the policy to https and not * as all of our pre-existing icons are already linking to https endpoints and so we can at least prevent mixed-content warnings here

Test cases:

• Run e2e

Summary by CodeRabbit

• New Features

  • Updated Content Security Policy to allow images loaded over HTTPS by default, reducing configuration requirements for plugins.

• Bug Fixes

  • Improved CSP violation detection and reporting for image source issues.

• Documentation

  • Added release notes documenting CSP policy changes and plugin configuration guidance for HTTP image sources.

[openshift-ci-robot]

@logonoff: This pull request references Jira Issue OCPBUGS-77931, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Analysis / Root cause:

Changes the default img-src CSP from self data: to self https: data:.

There are multiple places where we explicitly allow icons any origin (e.g., helm charts, devfiles, templates, topology). Enforcing icons be data-uri only would be very difficult to achieve upstream, and proxying the icons would introduce SSRF risks.

Solution description:

I can imagine a few risks to this, e.g., IP fingerprinting, exposure to potential zero-days in browsers rendering images) but we already have these troubles today (as we're in report-only mode) and there have been no reported CVEs yet..

I've changed the policy to https and not * as all of our pre-existing icons are already linking to https endpoints and so we can at least prevent mixed-content warnings here

Test cases:

• Run e2e

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: logonoff
Once this PR has been reviewed and has the lgtm label, please assign jhadvig for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• frontend/OWNERS [logonoff]
• pkg/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@logonoff: This pull request references Jira Issue OCPBUGS-77931, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yapei

Details

In response to this:

Analysis / Root cause:

Changes the default img-src CSP from self data: to self https: data:.

There are multiple places where we explicitly allow icons any origin (e.g., helm charts, devfiles, templates, topology). Enforcing icons be data-uri only would be very difficult to achieve upstream, and proxying the icons would introduce SSRF risks.

Solution description:

I can imagine a few risks to this, e.g., IP fingerprinting, exposure to potential zero-days in browsers rendering images) but we already have these troubles today (as we're in report-only mode) and there have been no reported CVEs yet..

I've changed the policy to https and not * as all of our pre-existing icons are already linking to https endpoints and so we can at least prevent mixed-content warnings here

Test cases:

• Run e2e

Summary by CodeRabbit

• New Features

• Updated Content Security Policy to allow images loaded over HTTPS by default, reducing configuration requirements for plugins.

• Bug Fixes

• Improved CSP violation detection and reporting for image source issues.

• Documentation

• Added release notes documenting CSP policy changes and plugin configuration guidance for HTTP image sources.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@openshift-ci-robot: GitHub didn't allow me to request PR reviews from the following users: yapei.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

@logonoff: This pull request references Jira Issue OCPBUGS-77931, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yapei

In response to this:

Analysis / Root cause:

Changes the default img-src CSP from self data: to self https: data:.

There are multiple places where we explicitly allow icons any origin (e.g., helm charts, devfiles, templates, topology). Enforcing icons be data-uri only would be very difficult to achieve upstream, and proxying the icons would introduce SSRF risks.

Solution description:

I can imagine a few risks to this, e.g., IP fingerprinting, exposure to potential zero-days in browsers rendering images) but we already have these troubles today (as we're in report-only mode) and there have been no reported CVEs yet..

I've changed the policy to https and not * as all of our pre-existing icons are already linking to https endpoints and so we can at least prevent mixed-content warnings here

Test cases:

• Run e2e

Summary by CodeRabbit

• New Features

• Updated Content Security Policy to allow images loaded over HTTPS by default, reducing configuration requirements for plugins.

• Bug Fixes

• Improved CSP violation detection and reporting for image source issues.

• Documentation

• Added release notes documenting CSP policy changes and plugin configuration guidance for HTTP image sources.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@logonoff: This pull request references Jira Issue OCPBUGS-77931, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yapei

Details

In response to this:

Analysis / Root cause:

Changes the default img-src CSP from self data: to self https: data:.

There are multiple places where we explicitly allow icons any origin (e.g., helm charts, devfiles, templates, topology). Enforcing icons be data-uri only would be very difficult to achieve upstream, and proxying the icons would introduce SSRF risks.

Solution description:

I can imagine a few risks to this (e.g., IP fingerprinting, exposure to potential zero-days in browsers rendering images) but we already have these troubles today (as we're in report-only mode) and there have been no reported CVEs yet..

I've changed the policy to https and not * as all of our pre-existing icons are already linking to https endpoints and so we can at least prevent mixed-content warnings here

Test cases:

• Run e2e

Summary by CodeRabbit

• New Features

• Updated Content Security Policy to allow images loaded over HTTPS by default, reducing configuration requirements for plugins.

• Bug Fixes

• Improved CSP violation detection and reporting for image source issues.

• Documentation

• Added release notes documenting CSP policy changes and plugin configuration guidance for HTTP image sources.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@openshift-ci-robot: GitHub didn't allow me to request PR reviews from the following users: yapei.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

@logonoff: This pull request references Jira Issue OCPBUGS-77931, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @yapei

In response to this:

Analysis / Root cause:

Changes the default img-src CSP from self data: to self https: data:.

There are multiple places where we explicitly allow icons any origin (e.g., helm charts, devfiles, templates, topology). Enforcing icons be data-uri only would be very difficult to achieve upstream, and proxying the icons would introduce SSRF risks.

Solution description:

I can imagine a few risks to this (e.g., IP fingerprinting, exposure to potential zero-days in browsers rendering images) but we already have these troubles today (as we're in report-only mode) and there have been no reported CVEs yet..

I've changed the policy to https and not * as all of our pre-existing icons are already linking to https endpoints and so we can at least prevent mixed-content warnings here

Test cases:

• Run e2e

Summary by CodeRabbit

• New Features

• Updated Content Security Policy to allow images loaded over HTTPS by default, reducing configuration requirements for plugins.

• Bug Fixes

• Improved CSP violation detection and reporting for image source issues.

• Documentation

• Added release notes documenting CSP policy changes and plugin configuration guidance for HTTP image sources.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request expands the Content Security Policy (CSP) img-src directive to include https: as an allowed source alongside 'self'. Changes span both backend and frontend: the Go CSP builder now constructs the directive with the https: scheme, test expectations are updated to reflect this change, frontend violation detection logic stops suppressing img-src violations, and release notes document the CSP update for OpenShift Console 4.23, noting that plugins loading images over HTTP must declare appropriate sources via spec.contentSecurityPolicy.

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically references the Jira issue (OCPBUGS-77931) and accurately describes the main change: loosening the default img-src CSP directive from 'self data:' to 'self https: data:'.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only standard Go testing package tests with static, deterministic test names. No Ginkgo tests present, so test name stability requirement does not apply.
Test Structure And Quality	✅ Passed	PR contains only standard Go testing package tests and Jest tests. Ginkgo framework checks do not apply to these testing approaches.
Microshift Test Compatibility	✅ Passed	PR modifies only pkg/utils/utils_test.go with standard Go testing package, not Ginkgo e2e tests. Custom check targets Ginkgo e2e tests only.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This pull request does not add any new Ginkgo e2e tests. Changes consist of CSP configuration updates, release notes, and Go unit tests only.
Topology-Aware Scheduling Compatibility	✅ Passed	The topology-aware scheduling compatibility check is not applicable to this PR, which exclusively modifies Content Security Policy directives and related test expectations.
Ote Binary Stdout Contract	✅ Passed	The pull request modifies utility library functions and test constants only, with no process-level code that could corrupt OTE binary stdout. The klog.Fatalf() call is a utility function that writes to stderr by default.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR contains standard Go unit tests and application code, with no Ginkgo e2e tests or IPv4/external connectivity assumptions present.
Description check	✅ Passed	PR description covers analysis, solution, and test cases but lacks screenshots, browser conformance checklist, and detailed test setup information.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/utils/utils.go (1)

65-70: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update the nearby CSP comment.

The img-src default now includes https:, but the comment still says image sources only use 'self' and http://localhost:8080. That’s now inaccurate.

Suggested fix

-// Image source, font source, and style source only use 'self' and
-// 'http://localhost:8080'.
+// Image source uses 'self', https:, and off-cluster localhost.
+// Font source and style source only use 'self' and 'http://localhost:8080'.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/utils/utils.go` around lines 65 - 70, Update the nearby block comment to
reflect the current CSP directives: mention that image sources (imgSrcDirective)
now include 'https:' in addition to 'self' and the localhost origins, and that
baseUriDirective, defaultSrcDirective, and imgSrcDirective include the appended
http://localhost:8080 and ws://localhost:8080 when running off-cluster; adjust
the wording so it accurately describes that img-src uses 'self', 'https:', and
the localhost origin rather than only 'self' and http://localhost:8080.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@pkg/utils/utils.go`:
- Around line 65-70: Update the nearby block comment to reflect the current CSP
directives: mention that image sources (imgSrcDirective) now include 'https:' in
addition to 'self' and the localhost origins, and that baseUriDirective,
defaultSrcDirective, and imgSrcDirective include the appended
http://localhost:8080 and ws://localhost:8080 when running off-cluster; adjust
the wording so it accurately describes that img-src uses 'self', 'https:', and
the localhost origin rather than only 'self' and http://localhost:8080.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f0341edf-3969-4bed-9518-e7d3a5ce0746

📥 Commits

Reviewing files that changed from the base of the PR and between 507b412 and ae63a79.

📒 Files selected for processing (4)

• frontend/packages/console-app/src/hooks/useCSPViolationDetector.tsx
• frontend/packages/console-dynamic-plugin-sdk/release-notes/4.23.md
• pkg/utils/utils.go
• pkg/utils/utils_test.go

💤 Files with no reviewable changes (1)

• frontend/packages/console-app/src/hooks/useCSPViolationDetector.tsx

📜 Review details

🧰 Additional context used

🔀 Multi-repo context openshift/console-operator

[::openshift/console-operator::pkg/console/subresource/consoleserver/config_builder.go]

• This file holds the console server CSP assembly: it stores and returns contentSecurityPolicyList and sets ContentSecurityPolicy in the built CLI config (see matches at lines shown in search output: config_builder.go:83, 270, 329, 610-611). Changes to the default img-src will affect the policy string produced here and what gets sent to browsers.

[::openshift/console-operator::pkg/console/subresource/consoleserver/types.go]

• The server config type includes ContentSecurityPolicy as a map[v1.DirectiveType][]string (types.go:34). The default img-src change changes values placed into this structure before serialization.

[::openshift/console-operator::vendor/github.com/openshift/api/console/v1/types_console_plugin.go]

• ConsolePlugin CRD docs and types reference contentSecurityPolicy and img-src examples (multiple matches in generated docs and types). The repo description explicitly states: "'self' is automatically included ... The OpenShift web console server aggregates the CSP directives and values across its own default values and all enabled ConsolePlugin CRs, merging them into a single policy string" (see generated swagger/doc and CRD manifest matches). Plugin authors may need to update spec.contentSecurityPolicy if their plugins load images over http; the new default img-src (adding https:) changes the effective merged policy.

[::openshift/console-operator::vendor/github.com/openshift/api/console/v1/zz_generated.crd-manifests/90_consoleplugins.crd.yaml]

• The CRD manifest includes example img-src entries and documentation that will represent user-facing docs/examples for plugin authors; these docs reference img-src usage and will be consistent with changes to server defaults.

[::openshift/console-operator::pkg/console/subresource/consoleserver/config_builder_test.go]

• There are many tests around console server config building (numerous test files referencing host/APIServerURL etc. and specifically config_builder_test.go). Tests that assert exact CSP strings or the assembled server config may need updates if expected img-src strings change.

Potential reviewer notes (observed evidence only)

• The server merges defaults with ConsolePlugin CRs (vendor/generated docs). Therefore changing the server default img-src to include https: will change the effective CSP delivered to browsers and may reduce the need for plugin authors to declare https image sources—but could also widen allowed image origins.
• Update surface includes config_builder.go (where default CSP values are assembled) and any tests/assertions that expect the older img-src value.

🔇 Additional comments (2)

frontend/packages/console-dynamic-plugin-sdk/release-notes/4.23.md (1)

5-8: Looks good.

The release note matches the CSP behavior change and gives plugin authors the right guidance.

pkg/utils/utils_test.go (1)

10-184: Looks good.

The updated expectations track the new default img-src output cleanly, including the off-cluster localhost case.

[TheRealJon]

After a little more research, maybe this represents a bigger risk than we want. One, this is a blanket approach. We should probably try to use a more nuanced solution with less blast radius. Second, as you said, this does represent a risk for IP tracking and zero-day vulnerabilities, which seem inevitable.

A couple of ideas that I had:

1. Create a new custom icon proxy service in a sandboxed pod where we can lock down and cache requests to custom icon URLs
2. Isolate all custom icons in sandboxed iframes. This is only half-baked, so might not actually be valid.
3. Create a new UI for cluster admins to "accept risk" of custom icon urls that are throwing CSP violations by adding those urls to the the CSP rules. Also half-baked :)

[logonoff]

1. Create a new custom icon proxy service in a sandboxed pod where we can lock down and cache requests to custom icon URLs

That could work since a lot of major services already do something like this (e.g., googleusercontent.com, githubusercontent.com, etc...). We could potentially look into using some package like https://pkg.go.dev/willnorris.com/go/imageproxy, https://github.com/discord/lilliput, or https://github.com/cactus/go-camo to proxy images in a sandboxed pod.

But from a security standpoint it's a lot more work to ensure we're configuring everything correctly, such that the pod is 100% isolated from the rest of the cluster. IMO a server-side SSRF vuln is a lot more severe than client-side IP tracking risks so we need to be very careful with this approach

Also note (according to Claude), that githubusercontent (go-camo) has seen security issues with regards to network isolation, so we really need to spend time on this to ensure we're getting it right: GHSA-xrmp-4542-q746

2. Isolate all custom icons in sandboxed iframes. This is only half-baked, so might not actually be valid.

This would potentially mitigate the "potential zero-days in browser image processing" issue but we have a lot of icons in the software catalog, and having one iframe per card isn't exactly the most performant thing in the world. If we don't introduce a image proxy as well, we would still have the IP tracking issue

3. Create a new UI for cluster admins to "accept risk" of custom icon urls that are throwing CSP violations by adding those urls to the the CSP rules. Also half-baked :)

I think this would be a good middle ground (e.g., gmail has this option), but at the moment our CSP is in report-only mode and so this would only be applicable when we start actually enforcing the policy. If we were to start actually blocking images that would constitute a major change in our CSP which I think is out of scope for this release

[openshift-ci]

@logonoff: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-console	5afddf4	link	true	/test e2e-gcp-console

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.