From 986d827cb3917e785e52b803f25bf4d6c4d27d7d Mon Sep 17 00:00:00 2001
From: Larry Gregory <larry.gregory@elastic.co>
Date: Mon, 15 Mar 2021 14:44:03 -0400
Subject: [PATCH] Remove unsafe-eval from our default CSP

---
 src/core/server/csp/config.ts            |  2 +-
 src/core/server/csp/csp_config.test.ts   | 12 ++++++------
 test/api_integration/apis/general/csp.js |  2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/core/server/csp/config.ts b/src/core/server/csp/config.ts
index 3fc9faa26179e65..c3713a58f9384a8 100644
--- a/src/core/server/csp/config.ts
+++ b/src/core/server/csp/config.ts
@@ -20,7 +20,7 @@ export const config = {
   schema: schema.object({
     rules: schema.arrayOf(schema.string(), {
       defaultValue: [
-        `script-src 'unsafe-eval' 'self'`,
+        `script-src 'self'`,
         `worker-src blob: 'self'`,
         `style-src 'unsafe-inline' 'self'`,
       ],
diff --git a/src/core/server/csp/csp_config.test.ts b/src/core/server/csp/csp_config.test.ts
index ed13d363c416659..fa0b9d67fc3ff3b 100644
--- a/src/core/server/csp/csp_config.test.ts
+++ b/src/core/server/csp/csp_config.test.ts
@@ -25,9 +25,9 @@ describe('CspConfig', () => {
   test('DEFAULT', () => {
     expect(CspConfig.DEFAULT).toMatchInlineSnapshot(`
       CspConfig {
-        "header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+        "header": "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
         "rules": Array [
-          "script-src 'unsafe-eval' 'self'",
+          "script-src 'self'",
           "worker-src blob: 'self'",
           "style-src 'unsafe-inline' 'self'",
         ],
@@ -40,9 +40,9 @@ describe('CspConfig', () => {
   test('defaults from config', () => {
     expect(new CspConfig()).toMatchInlineSnapshot(`
       CspConfig {
-        "header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+        "header": "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
         "rules": Array [
-          "script-src 'unsafe-eval' 'self'",
+          "script-src 'self'",
           "worker-src blob: 'self'",
           "style-src 'unsafe-inline' 'self'",
         ],
@@ -55,9 +55,9 @@ describe('CspConfig', () => {
   test('creates from partial config', () => {
     expect(new CspConfig({ strict: false, warnLegacyBrowsers: false })).toMatchInlineSnapshot(`
       CspConfig {
-        "header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+        "header": "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
         "rules": Array [
-          "script-src 'unsafe-eval' 'self'",
+          "script-src 'self'",
           "worker-src blob: 'self'",
           "style-src 'unsafe-inline' 'self'",
         ],
diff --git a/test/api_integration/apis/general/csp.js b/test/api_integration/apis/general/csp.js
index d50080a6e5ff0c8..efa3df9a39d004b 100644
--- a/test/api_integration/apis/general/csp.js
+++ b/test/api_integration/apis/general/csp.js
@@ -27,7 +27,7 @@ export default function ({ getService }) {
 
       const entries = Array.from(parsed.entries());
       expect(entries).to.eql([
-        ['script-src', ["'unsafe-eval'", "'self'"]],
+        ['script-src', ["'self'"]],
         ['worker-src', ['blob:', "'self'"]],
         ['style-src', ["'unsafe-inline'", "'self'"]],
       ]);