From ef82aaf7df9e605fb6deeed9bbeb203c66095247 Mon Sep 17 00:00:00 2001 From: Court Ewing Date: Wed, 20 Feb 2019 15:01:10 -0500 Subject: [PATCH] Inject CSP config via HTML tag rather than inline JavaScript (#31514) (#31553) This allows us to support a more flexible set of CSP rules that do not necessarily rely on nonce. --- src/ui/ui_render/bootstrap/template.js.hbs | 4 ++++ src/ui/ui_render/views/chrome.pug | 1 + src/ui/ui_render/views/ui_app.pug | 3 --- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/ui/ui_render/bootstrap/template.js.hbs b/src/ui/ui_render/bootstrap/template.js.hbs index c695bad775e8..bc6d505279ad 100644 --- a/src/ui/ui_render/bootstrap/template.js.hbs +++ b/src/ui/ui_render/bootstrap/template.js.hbs @@ -1,3 +1,7 @@ +var kbnCsp = JSON.parse(document.querySelector('kbn-csp').getAttribute('data')); +window.__kbnStrictCsp__ = kbnCsp.strictCsp; +window.__webpack_nonce__ = kbnCsp.nonce; + if (window.__kbnStrictCsp__ && window.__kbnCspNotEnforced__) { var legacyBrowserError = document.getElementById('kbn_legacy_browser_error'); legacyBrowserError.style.display = 'flex'; diff --git a/src/ui/ui_render/views/chrome.pug b/src/ui/ui_render/views/chrome.pug index 8880b61e1d48..479a3f9ab0bc 100644 --- a/src/ui/ui_render/views/chrome.pug +++ b/src/ui/ui_render/views/chrome.pug @@ -118,5 +118,6 @@ html(lang=locale) style#themeCss body + kbn-csp(data=JSON.stringify({ nonce, strictCsp })) kbn-injected-metadata(data=JSON.stringify(injectedMetadata)) block content diff --git a/src/ui/ui_render/views/ui_app.pug b/src/ui/ui_render/views/ui_app.pug index 34b8f5cf6acf..f12e6be6edef 100644 --- a/src/ui/ui_render/views/ui_app.pug +++ b/src/ui/ui_render/views/ui_app.pug @@ -137,7 +137,4 @@ block content // intentional as we check for the existence of __kbnCspNotEnforced__ in // bootstrap. window.__kbnCspNotEnforced__ = true; - script(nonce=nonce). - window.__kbnStrictCsp__ = !{strictCsp}; - window.__webpack_nonce__ = '!{nonce}'; script(src=bootstrapScriptUrl, nonce=nonce)