Remove unsafe-eval from our default CSP

elastic · May 5, 2021 · cceb9e0 · cceb9e0
1 parent 0d7a582
commit cceb9e0
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 12 deletions.
diff --git a/src/core/server/csp/config.ts b/src/core/server/csp/config.ts
@@ -20,7 +20,7 @@ export const config = {
   schema: schema.object({
     rules: schema.arrayOf(schema.string(), {
       defaultValue: [
-        `script-src 'unsafe-eval' 'self'`,
+        `script-src 'self'`,
         `worker-src blob: 'self'`,
         `style-src 'unsafe-inline' 'self'`,
       ],

diff --git a/src/core/server/csp/csp_config.test.ts b/src/core/server/csp/csp_config.test.ts
@@ -27,9 +27,9 @@ describe('CspConfig', () => {
     expect(CspConfig.DEFAULT).toMatchInlineSnapshot(`
       CspConfig {
         "disableEmbedding": false,
-        "header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+        "header": "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
         "rules": Array [
-          "script-src 'unsafe-eval' 'self'",
+          "script-src 'self'",
           "worker-src blob: 'self'",
           "style-src 'unsafe-inline' 'self'",
         ],
@@ -73,7 +73,7 @@ describe('CspConfig', () => {
         expect(config.disableEmbedding).not.toEqual(CspConfig.DEFAULT.disableEmbedding);
         expect(config.rules).toEqual(expect.arrayContaining([FRAME_ANCESTORS_RULE]));
         expect(config.header).toMatchInlineSnapshot(
-          `"script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'; frame-ancestors 'self'"`
+          `"script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'; frame-ancestors 'self'"`
         );
       });
 

diff --git a/src/core/server/http_resources/http_resources_service.test.ts b/src/core/server/http_resources/http_resources_service.test.ts
@@ -90,7 +90,7 @@ describe('HttpResources service', () => {
             headers: {
               'x-kibana': '42',
               'content-security-policy':
-                "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+                "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
             },
           });
         });
@@ -142,7 +142,7 @@ describe('HttpResources service', () => {
             headers: {
               'x-kibana': '42',
               'content-security-policy':
-                "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+                "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
             },
           });
         });
@@ -165,7 +165,7 @@ describe('HttpResources service', () => {
             headers: {
               'content-type': 'text/html',
               'content-security-policy':
-                "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+                "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
             },
           });
         });
@@ -197,7 +197,7 @@ describe('HttpResources service', () => {
               'content-type': 'text/html',
               'x-kibana': '42',
               'content-security-policy':
-                "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+                "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
             },
           });
         });
@@ -220,7 +220,7 @@ describe('HttpResources service', () => {
             headers: {
               'content-type': 'text/javascript',
               'content-security-policy':
-                "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+                "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
             },
           });
         });
@@ -252,7 +252,7 @@ describe('HttpResources service', () => {
               'content-type': 'text/javascript',
               'x-kibana': '42',
               'content-security-policy':
-                "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+                "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
             },
           });
         });

diff --git a/test/api_integration/apis/general/csp.js b/test/api_integration/apis/general/csp.js
@@ -27,7 +27,7 @@ export default function ({ getService }) {
 
       const entries = Array.from(parsed.entries());
       expect(entries).to.eql([
-        ['script-src', ["'unsafe-eval'", "'self'"]],
+        ['script-src', ["'self'"]],
         ['worker-src', ['blob:', "'self'"]],
         ['style-src', ["'unsafe-inline'", "'self'"]],
       ]);

diff --git a/x-pack/test/security_api_integration/tests/oidc/implicit_flow/oidc_auth.ts b/x-pack/test/security_api_integration/tests/oidc/implicit_flow/oidc_auth.ts
@@ -70,7 +70,7 @@ export default function ({ getService }: FtrProviderContext) {
           'private, no-cache, no-store, must-revalidate'
         );
         expect(response.headers['content-security-policy']).to.be(
-          `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
+          `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
         );
 
         // Check that script that forwards URL fragment worked correctly.