You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by ju...@apache.org on 2022/11/07 01:35:51 UTC

[apisix-dashboard] branch master updated: fix: change default CSP value (#2601)

This is an automated email from the ASF dual-hosted git repository.

juzhiyuan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-dashboard.git


The following commit(s) were added to refs/heads/master by this push:
     new 8dcadcea2 fix: change default CSP value (#2601)
8dcadcea2 is described below

commit 8dcadcea202656396cb6b79aba84999e0767f311
Author: nthsky <ni...@qq.com>
AuthorDate: Mon Nov 7 09:35:46 2022 +0800

    fix: change default CSP value (#2601)
    
    Co-authored-by: Zeping Bai <bz...@apache.org>
---
 api/conf/conf.yaml        | 2 +-
 api/internal/conf/conf.go | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/api/conf/conf.yaml b/api/conf/conf.yaml
index 7c41e06a2..28a542b4a 100644
--- a/api/conf/conf.yaml
+++ b/api/conf/conf.yaml
@@ -66,7 +66,7 @@ conf:
   #   access_control_allow_headers: "Authorization"
   #   access_control-allow_methods: "*"
   #   x_frame_options: "deny"
-  #   content_security_policy: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-src xx.xx.xx.xx:3000"  # You can set frame-src to provide content for your grafana panel.
+  #   content_security_policy: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src xx.xx.xx.xx:3000"  # You can set frame-src to provide content for your grafana panel.
 
 authentication:
   secret:
diff --git a/api/internal/conf/conf.go b/api/internal/conf/conf.go
index 83c8e6d53..077a178b3 100644
--- a/api/internal/conf/conf.go
+++ b/api/internal/conf/conf.go
@@ -41,6 +41,8 @@ const (
 	EnvTEST  = "test"
 
 	WebDir = "html/"
+
+	DefaultCSP = "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:"
 	State  = "123456"
 )
 
@@ -414,7 +416,7 @@ func initSecurity(conf Security) {
 	if conf != se {
 		SecurityConf = conf
 		if conf.ContentSecurityPolicy == "" {
-			SecurityConf.ContentSecurityPolicy = "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+			SecurityConf.ContentSecurityPolicy = DefaultCSP
 		}
 		if conf.XFrameOptions == "" {
 			SecurityConf.XFrameOptions = "deny"
@@ -424,6 +426,6 @@ func initSecurity(conf Security) {
 
 	SecurityConf = Security{
 		XFrameOptions:         "deny",
-		ContentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'",
+		ContentSecurityPolicy: DefaultCSP,
 	}
 }