Middleware: Add CSP support (#29740)

* Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen
2025-02-25 18:55:37 -06:00 · 2021-01-12 07:42:32 +01:00
parent 4ed901e1f9
commit 50b649a869
19 changed files with 449 additions and 222 deletions
--- a/public/views/index-template.html
+++ b/public/views/index-template.html
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html lang="en">
  <head>
-    <script>
+    <script nonce="[[.Nonce]]">
      // https://github.com/GoogleChromeLabs/tti-polyfill
      !(function() {
        if ('PerformanceLongTaskTiming' in window) {
@@ -36,7 +36,7 @@

    <link rel="stylesheet" href="public/build/grafana.[[ .Theme ]].<%= webpack.hash %>.css" />

-    <script>
+    <script nonce="[[.Nonce]]">
      performance.mark('css done blocking');
    </script>
    <meta name="apple-mobile-web-app-capable" content="yes" />
@@ -221,7 +221,7 @@
      </div>
    </grafana-app>

-    <script>
+    <script nonce="[[.Nonce]]">
        window.grafanaBootData = {
          user: [[.User]],
          settings: [[.Settings]],
@@ -239,7 +239,7 @@

    [[if .GoogleTagManagerId]]
    <!-- Google Tag Manager -->
-    <script>
+    <script nonce="[[.Nonce]]">
      dataLayer = [
        {
          IsSignedIn: '[[.User.IsSignedIn]]',
@@ -259,7 +259,7 @@
        style="display:none;visibility:hidden"
      ></iframe>
    </noscript>
-    <script>
+    <script nonce="[[.Nonce]]">
      (function(w, d, s, l, i) {
        w[l] = w[l] || [];
        w[l].push({ 'gtm.start': new Date().getTime(), event: 'gtm.js' });
@@ -277,16 +277,16 @@
    <%
    for (key in htmlWebpackPlugin.files.chunks) { %><%
      if (htmlWebpackPlugin.files.jsIntegrity) { %>
-    <script
+    <script nonce="[[.Nonce]]"
      src="<%= htmlWebpackPlugin.files.chunks[key].entry %>"
      type="text/javascript"
      integrity="<%= htmlWebpackPlugin.files.jsIntegrity[htmlWebpackPlugin.files.js.indexOf(htmlWebpackPlugin.files.chunks[key].entry)] %>"
      crossorigin="<%= webpackConfig.output.crossOriginLoading %>"></script><%
      } else { %>
-    <script src="<%= htmlWebpackPlugin.files.chunks[key].entry %>" type="text/javascript"></script><%
+    <script nonce="[[.Nonce]]" src="<%= htmlWebpackPlugin.files.chunks[key].entry %>" type="text/javascript"></script><%
      } %><%
    } %>
-    <script>
+    <script nonce="[[.Nonce]]">
      performance.mark('js done blocking');
    </script>
  </body>