IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

CSP: Relax default template wrt. loading of scripts, due to nonces not working (#34363)

Browse Source 
* CSP: Relax default template, due to nonces not working

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* CSP: Add back data: to img-src

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
This commit is contained in:
Arve Knudsen 2021-05-19 11:37:14 +02:00 committed by GitHub
parent 0a2054bbe0
commit aed1c013c0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
conf/defaults.ini
View File

@ -249,7 +249,7 @@ content_security_policy = false
# Set Content Security Policy template used when adding the Content-Security-Policy header to your requests. # Set Content Security Policy template used when adding the Content-Security-Policy header to your requests.
# $NONCE in the template includes a random nonce. # $NONCE in the template includes a random nonce.
content_security_policy_template = """script-src 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src *;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" content_security_policy_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline';object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src * data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';"""
#################################### Snapshots ########################### #################################### Snapshots ###########################
[snapshots] [snapshots]

2
conf/sample.ini
View File

@ -255,7 +255,7 @@
# Set Content Security Policy template used when adding the Content-Security-Policy header to your requests. # Set Content Security Policy template used when adding the Content-Security-Policy header to your requests.
# $NONCE in the template includes a random nonce. # $NONCE in the template includes a random nonce.
;content_security_policy_template = """script-src 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src *;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" ;content_security_policy_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline';object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src * data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';"""
#################################### Snapshots ########################### #################################### Snapshots ###########################
[snapshots] [snapshots]

2
pkg/tests/web/index_view_test.go
View File

@ -24,7 +24,7 @@ func TestIndexView(t *testing.T) {
// nolint:bodyclose // nolint:bodyclose
resp, html := makeRequest(t, addr) resp, html := makeRequest(t, addr)
assert.Regexp(t, `script-src 'unsafe-eval' 'strict-dynamic' 'nonce-[^']+';object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src \*;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';`, resp.Header.Get("Content-Security-Policy")) assert.Regexp(t, `script-src 'self' 'unsafe-eval' 'unsafe-inline';object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src \* data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';`, resp.Header.Get("Content-Security-Policy"))
assert.Regexp(t, `<script nonce="[^"]+"`, html) assert.Regexp(t, `<script nonce="[^"]+"`, html)
}) })