Middleware: Add CSP Report Only support (#58074)

* Middleware: Add CSP Report Only support * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update csp documentation wording * Update conf/sample.ini Co-authored-by: Dave Henderson <dave.henderson@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Dave Henderson <dave.henderson@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Dave Henderson <dave.henderson@grafana.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Dave Henderson <dave.henderson@grafana.com> * Update pkg/middleware/csp.go Co-authored-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> Co-authored-by: Dave Henderson <dave.henderson@grafana.com>
2025-02-25 18:55:37 -06:00 · 2022-11-16 17:11:26 +00:00
parent aea860a3bd
commit f254a37d35
8 changed files with 158 additions and 41 deletions
--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -330,6 +330,14 @@
 # $ROOT_PATH is server.root_url without the protocol.
 ;content_security_policy_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';"""

+# Enable adding the Content-Security-Policy-Report-Only header to your requests.
+# Allows you to monitor the effects of a policy without enforcing it.
+;content_security_policy_report_only = false
+
+# Set Content Security Policy Report Only template used when adding the Content-Security-Policy-Report-Only header to your requests.
+# $NONCE in the template includes a random nonce.
+# $ROOT_PATH is server.root_url without the protocol.
+;content_security_policy_report_only_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';"""
 # Controls if old angular plugins are supported or not. This will be disabled by default in future release
 ;angular_support_enabled = true