-
Notifications
You must be signed in to change notification settings - Fork 12k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP Compliance #16655
Comments
might be tricky as Angularjs (the old version) is still in heavy use by panels and all external plugins. We are migrating away from it but a lot left to migrate. You can use angular js in CSP mode but has 30% performance hit and some other restrictions: |
Is there an easy way to use that CSP mode in grafana? For me, the 30% performance hit is worth it if I can disable the |
Not currently. |
It looks like it would involve a lot of work, elastic/kibana#29545. Especially for plugin loading , and any async modules |
So your suggestion would be to wait until the migration is done? |
not sure, full migration is going to take ~2 years. But this involves a lot of work, would have to be either an external contribution, huge demand or someone willing to pay for this for it to be prioritized. |
I am wondering if we could get some help from logz.io since they are rolling out grafana multi-tenant. Worth a shot asking them? @torkelo |
Is there a plan to address this issue? |
@yippibrian check the linked PR, this is the first step. Though angular is not removed entirely yet so it is not possible to have a very strict one. |
What would you like to be added:
Grafana should be CSP compliant. This is pretty much a standard at this point.
What does that mean?
All
eval()
andinline
script must be removed from the code base, this will allow us to remove theunsafe-eval
andunsafe-inline
fromscript-src
that are currently needed to run it.Why is this needed:
Security should be a priority at all time, CSP headers helps us prevent XSS and other attacks. Those are good practices. This was already raised in 2016 by #6820 and I think it should be made a priority.
The text was updated successfully, but these errors were encountered: