Identify CSP test functions (#184456)

2025-04-23 17:28:26 -04:00 · 2024-05-30 06:04:55 -04:00 · 2024-05-30 06:04:55 -04:00 · 3e44cca7e7
commit 3e44cca7e7
parent 71ea578bcb
2 changed files with 5 additions and 2 deletions
--- a/packages/core/rendering/core-rendering-server-internal/src/views/template.tsx
+++ b/packages/core/rendering/core-rendering-server-internal/src/views/template.tsx
@ -110,7 +110,8 @@ export const Template: FunctionComponent<Props> = ({
        </div>

        <script>
-          {`
+          {`// kbnUnsafeInlineTest do not remove this comment:
+            //   it is used for filtering out expected CSP failures, and must be the first piece of content in this script block.
            // Since this is an unsafe inline script, this code will not run
            // in browsers that support content security policy(CSP). This is
            // intentional as we check for the existence of __kbnCspNotEnforced__ in
--- a/packages/kbn-handlebars/src/utils.ts
+++ b/packages/kbn-handlebars/src/utils.ts
@ -61,7 +61,9 @@ export function transformLiteralToPath(node: { path: hbs.AST.PathExpression | hb

 export function allowUnsafeEval() {
  try {
-    new Function();
+    // Do not remove the `kbnUnsafeEvalTest` parameter.
+    // It is used for filtering out expected CSP failures, and must be the first piece of content in this function.
+    new Function('kbnUnsafeEvalTest', 'return true;');
    return true;
  } catch (e) {
    return false;