CSP: Set nonce attribute on Webpack injected bundles (#33298)

* CSP: Set __webpack_nonce__

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

conf/defaults.ini

@@ -69,7 +69,7 @@ socket = /tmp/grafana.sock
 # CDN Url
 cdn_url =
 
-# Sets the maximum time in minutes before timing out read of an incoming request and closing idle connections. 
+# Sets the maximum time in minutes before timing out read of an incoming request and closing idle connections.
 # `0` means there is no timeout for reading the request.
 read_timeout = 0
 
@@ -507,13 +507,13 @@ enable_login_token = false
 [auth.jwt]
 enabled = false
 header_name =
-email_claim = 
-username_claim = 
-jwk_set_url =  
-jwk_set_file = 
+email_claim =
+username_claim =
+jwk_set_url =
+jwk_set_file =
 cache_ttl = 60m
 expected_claims = {}
-key_file = 
+key_file =
 
 #################################### Auth LDAP ###########################
 [auth.ldap]
@@ -528,11 +528,11 @@ active_sync_enabled = true
 
 #################################### AWS ###########################
 [aws]
-# Enter a comma-separated list of allowed AWS authentication providers. 
+# Enter a comma-separated list of allowed AWS authentication providers.
 # Options are: default (AWS SDK Default), keys (Access && secret key), credentials (Credentials field), ec2_iam_role (EC2 IAM Role)
 allowed_auth_providers = default,keys,credentials
 
-# Allow AWS users to assume a role using temporary security credentials. 
+# Allow AWS users to assume a role using temporary security credentials.
 # If true, assume role will be enabled for all AWS authentication providers that are specified in aws_auth_providers
 assume_role_enabled = true
 

conf/sample.ini

@@ -518,11 +518,11 @@
 
 #################################### AWS ###########################
 [aws]
-# Enter a comma-separated list of allowed AWS authentication providers. 
+# Enter a comma-separated list of allowed AWS authentication providers.
 # Options are: default (AWS SDK Default), keys (Access && secret key), credentials (Credentials field), ec2_iam_role (EC2 IAM Role)
 ; allowed_auth_providers = default,keys,credentials
 
-# Allow AWS users to assume a role using temporary security credentials. 
+# Allow AWS users to assume a role using temporary security credentials.
 # If true, assume role will be enabled for all AWS authentication providers that are specified in aws_auth_providers
 ; assume_role_enabled = true
 

public/app/index.ts

@@ -1,4 +1,5 @@
 declare let __webpack_public_path__: string;
+declare let __webpack_nonce__: string;
 
 /**
  * Check if we are hosting files on cdn and set webpack public path
@@ -11,5 +12,9 @@ if ((window as any).public_cdn_path) {
 (window as any).__grafana_public_path__ =
   __webpack_public_path__.substring(0, __webpack_public_path__.lastIndexOf('build/')) || __webpack_public_path__;
 
+if ((window as any).nonce) {
+  __webpack_nonce__ = (window as any).nonce;
+}
+
 import app from './app';
 app.init();

public/views/index-template.html

@@ -263,6 +263,9 @@
         [[if .ContentDeliveryURL]]
           window.public_cdn_path = '[[.ContentDeliveryURL]]public/build/';
         [[end]]
+        [[if .Nonce]]
+          window.nonce = '[[.Nonce]]';
+        [[end]]
     </script>
 
     [[if .GoogleTagManagerId]]