diff --git a/conf/defaults.ini b/conf/defaults.ini index 97b9344a409..29b3d693515 100644 --- a/conf/defaults.ini +++ b/conf/defaults.ini @@ -249,7 +249,7 @@ content_security_policy = false # Set Content Security Policy template used when adding the Content-Security-Policy header to your requests. # $NONCE in the template includes a random nonce. -content_security_policy_template = """script-src 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src *;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" +content_security_policy_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline';object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src * data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" #################################### Snapshots ########################### [snapshots] diff --git a/conf/sample.ini b/conf/sample.ini index 718f27e99b1..2dda4f1aa0c 100644 --- a/conf/sample.ini +++ b/conf/sample.ini @@ -255,7 +255,7 @@ # Set Content Security Policy template used when adding the Content-Security-Policy header to your requests. # $NONCE in the template includes a random nonce. -;content_security_policy_template = """script-src 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src *;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" +;content_security_policy_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline';object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src * data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" #################################### Snapshots ########################### [snapshots] diff --git a/pkg/tests/web/index_view_test.go b/pkg/tests/web/index_view_test.go index 6810456b1f0..0f6086016aa 100644 --- a/pkg/tests/web/index_view_test.go +++ b/pkg/tests/web/index_view_test.go @@ -24,7 +24,7 @@ func TestIndexView(t *testing.T) { // nolint:bodyclose resp, html := makeRequest(t, addr) - assert.Regexp(t, `script-src 'unsafe-eval' 'strict-dynamic' 'nonce-[^']+';object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src \*;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';`, resp.Header.Get("Content-Security-Policy")) + assert.Regexp(t, `script-src 'self' 'unsafe-eval' 'unsafe-inline';object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src \* data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';`, resp.Header.Get("Content-Security-Policy")) assert.Regexp(t, `