apisix-dashboard icon indicating copy to clipboard operation
apisix-dashboard copied to clipboard

Published 20 hours ago verified publisher icon apache

fix: change default CSP value

Open nthsky opened this issue 2 years ago • 1 comments

Why submit this pull request?

  • Bugfix

What changes will this PR take into?

It changes dashboard default CSP. Add unsafe-inline to script-src and add img-src

Current default csp policy is

"default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"

Problems:

  1. script-src without "unsafe-inline" cause error like this:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-9B0adsvsNyel0bNudomHjhrSk758zuql+j59Udq5xCo='), or a nonce ('nonce-...') is required to enable inline execution.
  1. no img-src cause that the plugin page without icon using base64 img cannot show correctly.

Changes:

After, default CSP changes to

"default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:"

nthsky avatar Aug 23 '22 06:08 nthsky

Codecov Report

Merging #2601 (c61f023) into master (b5672b6) will decrease coverage by 2.34%. The diff coverage is 50.00%.

@@            Coverage Diff             @@
##           master    #2601      +/-   ##
==========================================
- Coverage   76.44%   74.10%   -2.35%     
==========================================
  Files         139      201      +62     
  Lines        3749     7824    +4075     
  Branches      873      873              
==========================================
+ Hits         2866     5798    +2932     
- Misses        883     1726     +843     
- Partials        0      300     +300
Flag Coverage Δ
backend-e2e-test-ginkgo 64.95% <50.00%> (?)
backend-unit-test 50.07% <50.00%> (?)
frontend-e2e-test 76.44% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
api/internal/conf/conf.go 66.00% <50.00%> (ø)
api/main.go 100.00% <0.00%> (ø)
api/internal/handler/schema/plugin.go 100.00% <0.00%> (ø)
api/internal/handler/schema/schema.go 100.00% <0.00%> (ø)
api/internal/handler/upstream/upstream.go 86.58% <0.00%> (ø)
api/internal/core/store/store_mock.go 0.00% <0.00%> (ø)
api/internal/handler/consumer/consumer.go 92.06% <0.00%> (ø)
api/internal/log/log.go 60.00% <0.00%> (ø)
api/internal/handler/label/label.go 86.20% <0.00%> (ø)
api/internal/filter/invalid_request.go 100.00% <0.00%> (ø)
... and 53 more

:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more

codecov-commenter avatar Aug 23 '22 07:08 codecov-commenter

Thanks for your contribution.

bzp2010 avatar Nov 07 '22 02:11 bzp2010