Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: change default CSP value #2601

Merged
merged 3 commits into from
Nov 7, 2022
Merged

fix: change default CSP value #2601

merged 3 commits into from
Nov 7, 2022

Conversation

nthsky
Copy link
Contributor

@nthsky nthsky commented Aug 23, 2022

Why submit this pull request?

  • Bugfix

What changes will this PR take into?

It changes dashboard default CSP. Add unsafe-inline to script-src and add img-src

Current default csp policy is

"default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"

Problems:

  1. script-src without "unsafe-inline" cause error like this:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-9B0adsvsNyel0bNudomHjhrSk758zuql+j59Udq5xCo='), or a nonce ('nonce-...') is required to enable inline execution.
  1. no img-src cause that the plugin page without icon using base64 img cannot show correctly.

Changes:

After, default CSP changes to

"default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:"

@codecov-commenter
Copy link

codecov-commenter commented Aug 23, 2022
edited
Loading

Codecov Report

Merging #2601 (c61f023) into master (b5672b6) will decrease coverage by 2.34%.
The diff coverage is 50.00%.

@@            Coverage Diff             @@
##           master    #2601      +/-   ##
==========================================
- Coverage   76.44%   74.10%   -2.35%     
==========================================
  Files         139      201      +62     
  Lines        3749     7824    +4075     
  Branches      873      873              
==========================================
+ Hits         2866     5798    +2932     
- Misses        883     1726     +843     
- Partials        0      300     +300
Flag Coverage Δ
backend-e2e-test-ginkgo 64.95% <50.00%> (?)
backend-unit-test 50.07% <50.00%> (?)
frontend-e2e-test 76.44% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
api/internal/conf/conf.go 66.00% <50.00%> (ø)
api/main.go 100.00% <0.00%> (ø)
api/internal/handler/schema/plugin.go 100.00% <0.00%> (ø)
api/internal/handler/schema/schema.go 100.00% <0.00%> (ø)
api/internal/handler/upstream/upstream.go 86.58% <0.00%> (ø)
api/internal/core/store/store_mock.go 0.00% <0.00%> (ø)
api/internal/handler/consumer/consumer.go 92.06% <0.00%> (ø)
api/internal/log/log.go 60.00% <0.00%> (ø)
api/internal/handler/label/label.go 86.20% <0.00%> (ø)
api/internal/filter/invalid_request.go 100.00% <0.00%> (ø)
... and 53 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@juzhiyuan juzhiyuan merged commit 8dcadce into apache:master Nov 7, 2022
bzp2010 pushed a commit to bzp2010/apisix-dashboard that referenced this pull request Nov 7, 2022
@nthsky @bzp2010
fix: change default CSP value (apache#2601)
dd52be3 
Co-authored-by: Zeping Bai <bzp2010@apache.org>

(cherry picked from commit 8dcadce)
@bzp2010
Copy link
Contributor

bzp2010 commented Nov 7, 2022

Thanks for your contribution.

hongbinhsu added a commit to fitphp/apix-dashboard that referenced this pull request Nov 7, 2022
@hongbinhsu
Merge branch 'upstream/master' into github/master
d6d38f3 
* upstream/master:
  fix: change default CSP value (apache#2601)
  fix: ant-table unable to request (apache#2641)
  fix: plugin_config missing on service exist (apache#2657)
  feat: add etcd store auto re-initialize (apache#2650)
  feat: add login filter of OpenID-Connect (apache#2608)
  feat:Configure plug-ins to support this feature (apache#2647)
  feat: Adding a Loading state to buttons (apache#2630)
  feat: dashboard support windows (apache#2619)
  Feat: add tip and preset model for plugin editor, improve e2e stability (apache#2581)
  docs: add Slack invitation link badge (apache#2617)

# Conflicts:
#	.github/workflows/backend-cli-test.yml
#	Dockerfile
#	api/test/shell/cli_test.sh
#	web/src/components/Footer/index.tsx
#	web/src/components/RightContent/index.tsx
#	web/src/pages/ServerInfo/List.tsx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bzp2010 bzp2010 bzp2010 approved these changes

@Baoyuantop Baoyuantop Baoyuantop approved these changes

@LiteSun LiteSun LiteSun approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@nthsky @codecov-commenter @bzp2010 @Baoyuantop @LiteSun @juzhiyuan