Inject CSP config via HTML tag rather than inline JavaScript (#31514)

This allows us to support a more flexible set of CSP rules that do not necessarily rely on nonce.
2025-04-24 09:48:58 -04:00 · 2019-02-19 20:56:17 -05:00 · 2019-02-19 20:56:17 -05:00 · 8aada890e5
commit 8aada890e5
parent 11da27b865
3 changed files with 5 additions and 3 deletions
--- a/src/legacy/ui/ui_render/bootstrap/template.js.hbs
+++ b/src/legacy/ui/ui_render/bootstrap/template.js.hbs
@ -1,3 +1,7 @@
+var kbnCsp = JSON.parse(document.querySelector('kbn-csp').getAttribute('data'));
+window.__kbnStrictCsp__ = kbnCsp.strictCsp;
+window.__kbnNonce__ = kbnCsp.nonce;
+
 if (window.__kbnStrictCsp__ && window.__kbnCspNotEnforced__) {
  var legacyBrowserError = document.getElementById('kbn_legacy_browser_error');
  legacyBrowserError.style.display = 'flex';
--- a/src/legacy/ui/ui_render/views/chrome.pug
+++ b/src/legacy/ui/ui_render/views/chrome.pug
@ -300,5 +300,6 @@ html(lang=locale)
    block head

  body
+    kbn-csp(data=JSON.stringify({ nonce, strictCsp }))
    kbn-injected-metadata(data=JSON.stringify(injectedMetadata))
    block content
--- a/src/legacy/ui/ui_render/views/ui_app.pug
+++ b/src/legacy/ui/ui_render/views/ui_app.pug
@ -137,7 +137,4 @@ block content
    // intentional as we check for the existence of __kbnCspNotEnforced__ in
    // bootstrap.
    window.__kbnCspNotEnforced__ = true;
-  script(nonce=nonce).
-    window.__kbnStrictCsp__ = !{strictCsp};
-    window.__kbnNonce__ = '!{nonce}';
  script(src=bootstrapScriptUrl, nonce=nonce)