fix: change default CSP value (#2601)

Co-authored-by: Zeping Bai <[email protected]>
apache · Nov 7, 2022 · 8dcadce · 8dcadce
1 parent b5672b6
commit 8dcadce
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/api/conf/conf.yaml b/api/conf/conf.yaml
@@ -66,7 +66,7 @@ conf:
   #   access_control_allow_headers: "Authorization"
   #   access_control-allow_methods: "*"
   #   x_frame_options: "deny"
-  #   content_security_policy: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-src xx.xx.xx.xx:3000"  # You can set frame-src to provide content for your grafana panel.
+  #   content_security_policy: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src xx.xx.xx.xx:3000"  # You can set frame-src to provide content for your grafana panel.
 
 authentication:
   secret:

diff --git a/api/internal/conf/conf.go b/api/internal/conf/conf.go
@@ -41,6 +41,8 @@ const (
 	EnvTEST  = "test"
 
 	WebDir = "html/"
+
+	DefaultCSP = "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:"
 	State  = "123456"
 )
 
@@ -414,7 +416,7 @@ func initSecurity(conf Security) {
 	if conf != se {
 		SecurityConf = conf
 		if conf.ContentSecurityPolicy == "" {
-			SecurityConf.ContentSecurityPolicy = "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+			SecurityConf.ContentSecurityPolicy = DefaultCSP
 		}
 		if conf.XFrameOptions == "" {
 			SecurityConf.XFrameOptions = "deny"
@@ -424,6 +426,6 @@ func initSecurity(conf Security) {
 
 	SecurityConf = Security{
 		XFrameOptions:         "deny",
-		ContentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'",
+		ContentSecurityPolicy: DefaultCSP,
 	}
 }