Inject CSP config via HTML tag rather than inline JavaScript (#31514) (#31553)

This allows us to support a more flexible set of CSP rules that do not necessarily rely on nonce.
2025-04-24 17:59:23 -04:00 · 2019-02-20 15:01:10 -05:00 · 2019-02-20 15:01:10 -05:00 · ef82aaf7df
commit ef82aaf7df
parent 3fc0a9edfb
3 changed files with 5 additions and 3 deletions
--- a/src/ui/ui_render/bootstrap/template.js.hbs
+++ b/src/ui/ui_render/bootstrap/template.js.hbs
@ -1,3 +1,7 @@
 var kbnCsp = JSON.parse(document.querySelector('kbn-csp').getAttribute('data'));
 window.__kbnStrictCsp__ = kbnCsp.strictCsp;
 window.__webpack_nonce__ = kbnCsp.nonce;
 if (window.__kbnStrictCsp__ && window.__kbnCspNotEnforced__) {
  var legacyBrowserError = document.getElementById('kbn_legacy_browser_error');
  legacyBrowserError.style.display = 'flex';
--- a/src/ui/ui_render/views/chrome.pug
+++ b/src/ui/ui_render/views/chrome.pug
@ -118,5 +118,6 @@ html(lang=locale)
    style#themeCss
  body
    kbn-csp(data=JSON.stringify({ nonce, strictCsp }))
    kbn-injected-metadata(data=JSON.stringify(injectedMetadata))
    block content
--- a/src/ui/ui_render/views/ui_app.pug
+++ b/src/ui/ui_render/views/ui_app.pug
@ -137,7 +137,4 @@ block content
    // intentional as we check for the existence of __kbnCspNotEnforced__ in
    // bootstrap.
    window.__kbnCspNotEnforced__ = true;
  script(nonce=nonce).
    window.__kbnStrictCsp__ = !{strictCsp};
    window.__webpack_nonce__ = '!{nonce}';
  script(src=bootstrapScriptUrl, nonce=nonce)