CSP Compliance #16655
Comments
|
might be tricky as Angularjs (the old version) is still in heavy use by panels and all external plugins. We are migrating away from it but a lot left to migrate. You can use angular js in CSP mode but has 30% performance hit and some other restrictions: |
|
Is there an easy way to use that CSP mode in grafana? For me, the 30% performance hit is worth it if I can disable the |
|
Not currently. |
|
It looks like it would involve a lot of work, elastic/kibana#29545. Especially for plugin loading , and any async modules |
|
So your suggestion would be to wait until the migration is done? |
|
not sure, full migration is going to take ~2 years. But this involves a lot of work, would have to be either an external contribution, huge demand or someone willing to pay for this for it to be prioritized. |
|
I am wondering if we could get some help from logz.io since they are rolling out grafana multi-tenant. Worth a shot asking them? @torkelo |
|
Is there a plan to address this issue? |
|
@yippibrian check the linked PR, this is the first step. Though angular is not removed entirely yet so it is not possible to have a very strict one. |
What would you like to be added:
Grafana should be CSP compliant. This is pretty much a standard at this point.
What does that mean?
All
eval()andinlinescript must be removed from the code base, this will allow us to remove theunsafe-evalandunsafe-inlinefromscript-srcthat are currently needed to run it.Why is this needed:
Security should be a priority at all time, CSP headers helps us prevent XSS and other attacks. Those are good practices. This was already raised in 2016 by #6820 and I think it should be made a priority.
The text was updated successfully, but these errors were encountered: