From aed1c013c074c52548552dd1690a705f4361458f Mon Sep 17 00:00:00 2001 From: Arve Knudsen Date: Wed, 19 May 2021 11:37:14 +0200 Subject: [PATCH] CSP: Relax default template wrt. loading of scripts, due to nonces not working (#34363) * CSP: Relax default template, due to nonces not working Signed-off-by: Arve Knudsen * CSP: Add back data: to img-src Signed-off-by: Arve Knudsen --- conf/defaults.ini | 2 +- conf/sample.ini | 2 +- pkg/tests/web/index_view_test.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/conf/defaults.ini b/conf/defaults.ini index 97b9344a409..29b3d693515 100644 --- a/conf/defaults.ini +++ b/conf/defaults.ini @@ -249,7 +249,7 @@ content_security_policy = false # Set Content Security Policy template used when adding the Content-Security-Policy header to your requests. # $NONCE in the template includes a random nonce. -content_security_policy_template = """script-src 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src *;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" +content_security_policy_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline';object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src * data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" #################################### Snapshots ########################### [snapshots] diff --git a/conf/sample.ini b/conf/sample.ini index 718f27e99b1..2dda4f1aa0c 100644 --- a/conf/sample.ini +++ b/conf/sample.ini @@ -255,7 +255,7 @@ # Set Content Security Policy template used when adding the Content-Security-Policy header to your requests. # $NONCE in the template includes a random nonce. -;content_security_policy_template = """script-src 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src *;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" +;content_security_policy_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline';object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src * data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" #################################### Snapshots ########################### [snapshots] diff --git a/pkg/tests/web/index_view_test.go b/pkg/tests/web/index_view_test.go index 6810456b1f0..0f6086016aa 100644 --- a/pkg/tests/web/index_view_test.go +++ b/pkg/tests/web/index_view_test.go @@ -24,7 +24,7 @@ func TestIndexView(t *testing.T) { // nolint:bodyclose resp, html := makeRequest(t, addr) - assert.Regexp(t, `script-src 'unsafe-eval' 'strict-dynamic' 'nonce-[^']+';object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src \*;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';`, resp.Header.Get("Content-Security-Policy")) + assert.Regexp(t, `script-src 'self' 'unsafe-eval' 'unsafe-inline';object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src \* data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';`, resp.Header.Get("Content-Security-Policy")) assert.Regexp(t, `