Remove unsafe-eval from our default CSP

elastic · Apr 5, 2021 · 986d827 · 986d827
1 parent cf22394
commit 986d827
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 8 deletions.
diff --git a/src/core/server/csp/config.ts b/src/core/server/csp/config.ts
@@ -20,7 +20,7 @@ export const config = {
   schema: schema.object({
     rules: schema.arrayOf(schema.string(), {
       defaultValue: [
-        `script-src 'unsafe-eval' 'self'`,
+        `script-src 'self'`,
         `worker-src blob: 'self'`,
         `style-src 'unsafe-inline' 'self'`,
       ],

diff --git a/src/core/server/csp/csp_config.test.ts b/src/core/server/csp/csp_config.test.ts
@@ -25,9 +25,9 @@ describe('CspConfig', () => {
   test('DEFAULT', () => {
     expect(CspConfig.DEFAULT).toMatchInlineSnapshot(`
       CspConfig {
-        "header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+        "header": "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
         "rules": Array [
-          "script-src 'unsafe-eval' 'self'",
+          "script-src 'self'",
           "worker-src blob: 'self'",
           "style-src 'unsafe-inline' 'self'",
         ],
@@ -40,9 +40,9 @@ describe('CspConfig', () => {
   test('defaults from config', () => {
     expect(new CspConfig()).toMatchInlineSnapshot(`
       CspConfig {
-        "header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+        "header": "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
         "rules": Array [
-          "script-src 'unsafe-eval' 'self'",
+          "script-src 'self'",
           "worker-src blob: 'self'",
           "style-src 'unsafe-inline' 'self'",
         ],
@@ -55,9 +55,9 @@ describe('CspConfig', () => {
   test('creates from partial config', () => {
     expect(new CspConfig({ strict: false, warnLegacyBrowsers: false })).toMatchInlineSnapshot(`
       CspConfig {
-        "header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+        "header": "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
         "rules": Array [
-          "script-src 'unsafe-eval' 'self'",
+          "script-src 'self'",
           "worker-src blob: 'self'",
           "style-src 'unsafe-inline' 'self'",
         ],

diff --git a/test/api_integration/apis/general/csp.js b/test/api_integration/apis/general/csp.js
@@ -27,7 +27,7 @@ export default function ({ getService }) {
 
       const entries = Array.from(parsed.entries());
       expect(entries).to.eql([
-        ['script-src', ["'unsafe-eval'", "'self'"]],
+        ['script-src', ["'self'"]],
         ['worker-src', ['blob:', "'self'"]],
         ['style-src', ["'unsafe-inline'", "'self'"]],
       ]);