newrelic-python-agent icon indicating copy to clipboard operation
newrelic-python-agent copied to clipboard

Published 20 hours ago verified publisher icon newrelic

Why doesn't the new-relic-admin support nonced CSP?

Open allen-munsch opened this issue 3 years ago • 3 comments

https://github.com/newrelic/newrelic-python-agent/blob/242c51a869b506d4235c8fedf024002251ac502c/newrelic/api/asgi_application.py#L172

Seems weird that the default would be "'unsafe-inline'"?

  • https://github.com/newrelic/newrelic-python-agent/blob/242c51a869b506d4235c8fedf024002251ac502c/newrelic/api/html_insertion.py#L32

  • https://github.com/newrelic/newrelic-python-agent/blob/242c51a869b506d4235c8fedf024002251ac502c/newrelic/api/html_insertion.py#L49

  • https://github.com/newrelic/newrelic-python-agent/blob/ad65494033a6aef95fa2cd10b49ae73cb4c612ed/newrelic/api/web_transaction.py#L42-L44

Any suggestions?

  • https://docs.newrelic.com/docs/apm/agents/python-agent/python-agent-api/disablebrowserautorum-python-agent-api/

  • https://discuss.newrelic.com/t/content-security-policy-and-browser-injection/2629

  • https://github.com/newrelic/newrelic-python-agent/blob/ad65494033a6aef95fa2cd10b49ae73cb4c612ed/newrelic/api/web_transaction.py#L402-L403

Similar:

  • https://github.com/newrelic/newrelic-ruby-agent/issues/332
  • https://github.com/newrelic/newrelic-ruby-agent/pull/673/files

allen-munsch avatar Jul 07 '22 14:07 allen-munsch

As linked above, this has been implemented in the Ruby agent so would appear to be fairly trivial to implement for the Python agent as well. As far as I've seen, the reasoning for not doing this so far hinges on an assumption that it would involve breaking compatibility with outdated browsers, although that's not necessarily true or even important to many people, as expressed by many over 6 years in this thread.

aaroncameron-wk avatar Jul 11 '22 23:07 aaroncameron-wk

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Sep 21 '22 01:09 stale[bot]

It's not stale?

allen-munsch avatar Sep 21 '22 14:09 allen-munsch

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Nov 23 '22 03:11 stale[bot]

This should not be marked as stale as it is a security focused feature request

joshuata avatar Nov 23 '22 16:11 joshuata