Why doesn't the new-relic-admin support nonced CSP?

[allen-munsch]

newrelic-python-agent/newrelic/api/asgi_application.py

Line 172 in 242c51a

self.body, lambda: browser_agent_data, self.search_maximum

Seems weird that the default would be "'unsafe-inline'"?

• newrelic-python-agent/newrelic/api/html_insertion.py

  Line 32 in 242c51a

  def insert_html_snippet(data, html_to_be_inserted, search_limit=64*1024):

• newrelic-python-agent/newrelic/api/html_insertion.py

  Line 49 in 242c51a

  text = html_to_be_inserted()

• newrelic-python-agent/newrelic/api/web_transaction.py

  Lines 42 to 44 in ad65494

  	_js_agent_header_fragment = '<script type="text/javascript">%s</script>'
  	_js_agent_footer_fragment = '<script type="text/javascript">'\
  	'window.NREUM||(NREUM={});NREUM.info=%s</script>'

Any suggestions?

• https://docs.newrelic.com/docs/apm/agents/python-agent/python-agent-api/disablebrowserautorum-python-agent-api/

• https://discuss.newrelic.com/t/content-security-policy-and-browser-injection/2629

• newrelic-python-agent/newrelic/api/web_transaction.py

  Lines 402 to 403 in ad65494

  	if self._settings.js_agent_loader:
  	header = _js_agent_header_fragment % self._settings.js_agent_loader

Similar:

• Support for CSP nonces newrelic-ruby-agent#332
• https://github.com/newrelic/newrelic-ruby-agent/pull/673/files

[aaroncameron-wk]

As linked above, this has been implemented in the Ruby agent so would appear to be fairly trivial to implement for the Python agent as well. As far as I've seen, the reasoning for not doing this so far hinges on an assumption that it would involve breaking compatibility with outdated browsers, although that's not necessarily true or even important to many people, as expressed by many over 6 years in this thread.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[allen-munsch]

It's not stale?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[joshuata]

This should not be marked as stale as it is a security focused feature request

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[allen-munsch]

+1

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[allen-munsch]

+1

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[joshuata]

This should still be open as it is a security issue. I am seriously considering dropping newrelic due to the lack of movement on this

[Ak-x]

Hello @joshuata, we will get this effort scoped out on our teams end and determine when we can add this to our upcoming releases.

cc: @ak-war

[allen-munsch]

@Ak-x Thank you!

[jimleroyer]

Our team using NewRelic would really like support for this. We cannot use NewRelic on the front-end at the moment due to its lack of configuration options to align with our CSP and our requirement to use a nonce. I feel let down as other agent implementations support it except the Python one.

Hope you folks can include this one in! 🤞

[allen-munsch]

@TimPansino Thank you! Happy Holidays. 🎆