github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 09:48:58 -04:00
Code Issues Projects Releases Packages Wiki Activity

Replace 'nonce' with 'self' in CSP default rules (#31610)

Browse source 
Edge doesn't support nonce for src scripts due to a bug in the browser,
and while it's not a supported browser for Kibana, we'd like to avoid
surprises for people that are upgrading between minor versions.
This commit is contained in:
Court Ewing 2019-02-20 20:12:02 -05:00 committed by GitHub
parent c3cdca9837
commit ca791e931d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/server/csp/index.test.ts
View file

@ -34,7 +34,7 @@ import { createCSPRuleString, DEFAULT_CSP_RULES, generateCSPNonce } from './';
test('default CSP rules', () => {
expect(DEFAULT_CSP_RULES).toMatchInlineSnapshot(`
Array [
"script-src 'unsafe-eval' 'nonce-{nonce}'",
"script-src 'unsafe-eval' 'self'",
"worker-src blob:",
"child-src blob:",
]

2
src/server/csp/index.ts
View file

@ -23,7 +23,7 @@ import { promisify } from 'util';
const randomBytesAsync = promisify(randomBytes);
export const DEFAULT_CSP_RULES = Object.freeze([
`script-src 'unsafe-eval' 'nonce-{nonce}'`,
`script-src 'unsafe-eval' 'self'`,
'worker-src blob:',
'child-src blob:',
]);