diff --git a/src/core/server/csp/config.ts b/src/core/server/csp/config.ts index a61fa1b03a45c88..c20595b591de045 100644 --- a/src/core/server/csp/config.ts +++ b/src/core/server/csp/config.ts @@ -20,7 +20,7 @@ export const config = { schema: schema.object({ rules: schema.arrayOf(schema.string(), { defaultValue: [ - `script-src 'unsafe-eval' 'self'`, + `script-src 'self'`, `worker-src blob: 'self'`, `style-src 'unsafe-inline' 'self'`, ], diff --git a/src/core/server/csp/csp_config.test.ts b/src/core/server/csp/csp_config.test.ts index 1e023c6f08ea801..ef27e42a8feec51 100644 --- a/src/core/server/csp/csp_config.test.ts +++ b/src/core/server/csp/csp_config.test.ts @@ -27,9 +27,9 @@ describe('CspConfig', () => { expect(CspConfig.DEFAULT).toMatchInlineSnapshot(` CspConfig { "disableEmbedding": false, - "header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", + "header": "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", "rules": Array [ - "script-src 'unsafe-eval' 'self'", + "script-src 'self'", "worker-src blob: 'self'", "style-src 'unsafe-inline' 'self'", ], @@ -73,7 +73,7 @@ describe('CspConfig', () => { expect(config.disableEmbedding).not.toEqual(CspConfig.DEFAULT.disableEmbedding); expect(config.rules).toEqual(expect.arrayContaining([FRAME_ANCESTORS_RULE])); expect(config.header).toMatchInlineSnapshot( - `"script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'; frame-ancestors 'self'"` + `"script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'; frame-ancestors 'self'"` ); }); diff --git a/src/core/server/http_resources/http_resources_service.test.ts b/src/core/server/http_resources/http_resources_service.test.ts index 8b24e05fc5bf4c0..afefb1fb6876ed4 100644 --- a/src/core/server/http_resources/http_resources_service.test.ts +++ b/src/core/server/http_resources/http_resources_service.test.ts @@ -90,7 +90,7 @@ describe('HttpResources service', () => { headers: { 'x-kibana': '42', 'content-security-policy': - "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", + "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", }, }); }); @@ -142,7 +142,7 @@ describe('HttpResources service', () => { headers: { 'x-kibana': '42', 'content-security-policy': - "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", + "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", }, }); }); @@ -165,7 +165,7 @@ describe('HttpResources service', () => { headers: { 'content-type': 'text/html', 'content-security-policy': - "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", + "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", }, }); }); @@ -197,7 +197,7 @@ describe('HttpResources service', () => { 'content-type': 'text/html', 'x-kibana': '42', 'content-security-policy': - "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", + "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", }, }); }); @@ -220,7 +220,7 @@ describe('HttpResources service', () => { headers: { 'content-type': 'text/javascript', 'content-security-policy': - "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", + "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", }, }); }); @@ -252,7 +252,7 @@ describe('HttpResources service', () => { 'content-type': 'text/javascript', 'x-kibana': '42', 'content-security-policy': - "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", + "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'", }, }); }); diff --git a/test/api_integration/apis/general/csp.js b/test/api_integration/apis/general/csp.js index d50080a6e5ff0c8..efa3df9a39d004b 100644 --- a/test/api_integration/apis/general/csp.js +++ b/test/api_integration/apis/general/csp.js @@ -27,7 +27,7 @@ export default function ({ getService }) { const entries = Array.from(parsed.entries()); expect(entries).to.eql([ - ['script-src', ["'unsafe-eval'", "'self'"]], + ['script-src', ["'self'"]], ['worker-src', ['blob:', "'self'"]], ['style-src', ["'unsafe-inline'", "'self'"]], ]); diff --git a/x-pack/test/security_api_integration/tests/oidc/implicit_flow/oidc_auth.ts b/x-pack/test/security_api_integration/tests/oidc/implicit_flow/oidc_auth.ts index b3a04747125e284..32c889f2beac1c9 100644 --- a/x-pack/test/security_api_integration/tests/oidc/implicit_flow/oidc_auth.ts +++ b/x-pack/test/security_api_integration/tests/oidc/implicit_flow/oidc_auth.ts @@ -70,7 +70,7 @@ export default function ({ getService }: FtrProviderContext) { 'private, no-cache, no-store, must-revalidate' ); expect(response.headers['content-security-policy']).to.be( - `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'` + `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'` ); // Check that script that forwards URL fragment worked correctly.