You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by ju...@apache.org on 2022/11/07 01:35:51 UTC
[apisix-dashboard] branch master updated: fix: change default CSP value (#2601)
This is an automated email from the ASF dual-hosted git repository.
juzhiyuan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-dashboard.git
The following commit(s) were added to refs/heads/master by this push:
new 8dcadcea2 fix: change default CSP value (#2601)
8dcadcea2 is described below
commit 8dcadcea202656396cb6b79aba84999e0767f311
Author: nthsky <ni...@qq.com>
AuthorDate: Mon Nov 7 09:35:46 2022 +0800
fix: change default CSP value (#2601)
Co-authored-by: Zeping Bai <bz...@apache.org>
---
api/conf/conf.yaml | 2 +-
api/internal/conf/conf.go | 6 ++++--
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/api/conf/conf.yaml b/api/conf/conf.yaml
index 7c41e06a2..28a542b4a 100644
--- a/api/conf/conf.yaml
+++ b/api/conf/conf.yaml
@@ -66,7 +66,7 @@ conf:
# access_control_allow_headers: "Authorization"
# access_control-allow_methods: "*"
# x_frame_options: "deny"
- # content_security_policy: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-src xx.xx.xx.xx:3000" # You can set frame-src to provide content for your grafana panel.
+ # content_security_policy: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src xx.xx.xx.xx:3000" # You can set frame-src to provide content for your grafana panel.
authentication:
secret:
diff --git a/api/internal/conf/conf.go b/api/internal/conf/conf.go
index 83c8e6d53..077a178b3 100644
--- a/api/internal/conf/conf.go
+++ b/api/internal/conf/conf.go
@@ -41,6 +41,8 @@ const (
EnvTEST = "test"
WebDir = "html/"
+
+ DefaultCSP = "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:"
State = "123456"
)
@@ -414,7 +416,7 @@ func initSecurity(conf Security) {
if conf != se {
SecurityConf = conf
if conf.ContentSecurityPolicy == "" {
- SecurityConf.ContentSecurityPolicy = "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+ SecurityConf.ContentSecurityPolicy = DefaultCSP
}
if conf.XFrameOptions == "" {
SecurityConf.XFrameOptions = "deny"
@@ -424,6 +426,6 @@ func initSecurity(conf Security) {
SecurityConf = Security{
XFrameOptions: "deny",
- ContentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'",
+ ContentSecurityPolicy: DefaultCSP,
}
}