diff --git a/src/core/server/csp/config.ts b/src/core/server/csp/config.ts
index a61fa1b03a45c8..c20595b591de04 100644
--- a/src/core/server/csp/config.ts
+++ b/src/core/server/csp/config.ts
@@ -20,7 +20,7 @@ export const config = {
schema: schema.object({
rules: schema.arrayOf(schema.string(), {
defaultValue: [
- `script-src 'unsafe-eval' 'self'`,
+ `script-src 'self'`,
`worker-src blob: 'self'`,
`style-src 'unsafe-inline' 'self'`,
],
diff --git a/src/core/server/csp/csp_config.test.ts b/src/core/server/csp/csp_config.test.ts
index 1e023c6f08ea80..ef27e42a8feec5 100644
--- a/src/core/server/csp/csp_config.test.ts
+++ b/src/core/server/csp/csp_config.test.ts
@@ -27,9 +27,9 @@ describe('CspConfig', () => {
expect(CspConfig.DEFAULT).toMatchInlineSnapshot(`
CspConfig {
"disableEmbedding": false,
- "header": "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+ "header": "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
"rules": Array [
- "script-src 'unsafe-eval' 'self'",
+ "script-src 'self'",
"worker-src blob: 'self'",
"style-src 'unsafe-inline' 'self'",
],
@@ -73,7 +73,7 @@ describe('CspConfig', () => {
expect(config.disableEmbedding).not.toEqual(CspConfig.DEFAULT.disableEmbedding);
expect(config.rules).toEqual(expect.arrayContaining([FRAME_ANCESTORS_RULE]));
expect(config.header).toMatchInlineSnapshot(
- `"script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'; frame-ancestors 'self'"`
+ `"script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'; frame-ancestors 'self'"`
);
});
diff --git a/src/core/server/http_resources/http_resources_service.test.ts b/src/core/server/http_resources/http_resources_service.test.ts
index 8b24e05fc5bf4c..afefb1fb6876ed 100644
--- a/src/core/server/http_resources/http_resources_service.test.ts
+++ b/src/core/server/http_resources/http_resources_service.test.ts
@@ -90,7 +90,7 @@ describe('HttpResources service', () => {
headers: {
'x-kibana': '42',
'content-security-policy':
- "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+ "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
},
});
});
@@ -142,7 +142,7 @@ describe('HttpResources service', () => {
headers: {
'x-kibana': '42',
'content-security-policy':
- "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+ "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
},
});
});
@@ -165,7 +165,7 @@ describe('HttpResources service', () => {
headers: {
'content-type': 'text/html',
'content-security-policy':
- "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+ "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
},
});
});
@@ -197,7 +197,7 @@ describe('HttpResources service', () => {
'content-type': 'text/html',
'x-kibana': '42',
'content-security-policy':
- "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+ "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
},
});
});
@@ -220,7 +220,7 @@ describe('HttpResources service', () => {
headers: {
'content-type': 'text/javascript',
'content-security-policy':
- "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+ "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
},
});
});
@@ -252,7 +252,7 @@ describe('HttpResources service', () => {
'content-type': 'text/javascript',
'x-kibana': '42',
'content-security-policy':
- "script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
+ "script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'",
},
});
});
diff --git a/test/api_integration/apis/general/csp.js b/test/api_integration/apis/general/csp.js
index d50080a6e5ff0c..efa3df9a39d004 100644
--- a/test/api_integration/apis/general/csp.js
+++ b/test/api_integration/apis/general/csp.js
@@ -27,7 +27,7 @@ export default function ({ getService }) {
const entries = Array.from(parsed.entries());
expect(entries).to.eql([
- ['script-src', ["'unsafe-eval'", "'self'"]],
+ ['script-src', ["'self'"]],
['worker-src', ['blob:', "'self'"]],
['style-src', ["'unsafe-inline'", "'self'"]],
]);
diff --git a/x-pack/plugins/security/server/authentication/authentication_service.test.ts b/x-pack/plugins/security/server/authentication/authentication_service.test.ts
index d38f963a60c332..ae527d3b56b4f1 100644
--- a/x-pack/plugins/security/server/authentication/authentication_service.test.ts
+++ b/x-pack/plugins/security/server/authentication/authentication_service.test.ts
@@ -440,7 +440,7 @@ describe('AuthenticationService', () => {
expect(mockOnPreResponseToolkit.render).toHaveBeenCalledWith({
body: '',
headers: {
- 'Content-Security-Policy': `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`,
+ 'Content-Security-Policy': `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`,
Refresh:
'0;url=/mock-server-basepath/login?msg=UNAUTHENTICATED&next=%2Fmock-server-basepath%2Fapp%2Fsome',
},
@@ -465,7 +465,7 @@ describe('AuthenticationService', () => {
expect(mockOnPreResponseToolkit.render).toHaveBeenCalledWith({
body: '',
headers: {
- 'Content-Security-Policy': `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`,
+ 'Content-Security-Policy': `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`,
Refresh:
'0;url=/mock-server-basepath/logout?msg=UNAUTHENTICATED&next=%2Fmock-server-basepath%2Fapp%2Fsome',
},
@@ -492,7 +492,7 @@ describe('AuthenticationService', () => {
expect(mockOnPreResponseToolkit.render).toHaveBeenCalledWith({
body: '',
headers: {
- 'Content-Security-Policy': `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`,
+ 'Content-Security-Policy': `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`,
Refresh:
'0;url=/mock-server-basepath/login?msg=UNAUTHENTICATED&next=%2Fmock-server-basepath%2F',
},
@@ -538,7 +538,7 @@ describe('AuthenticationService', () => {
expect(mockOnPreResponseToolkit.render).toHaveBeenCalledWith({
body: '',
headers: {
- 'Content-Security-Policy': `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`,
+ 'Content-Security-Policy': `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`,
Refresh:
'0;url=/mock-server-basepath/login?msg=UNAUTHENTICATED&next=%2Fmock-server-basepath%2Fapp%2Fsome',
},
@@ -563,7 +563,7 @@ describe('AuthenticationService', () => {
expect(mockOnPreResponseToolkit.render).toHaveBeenCalledWith({
body: '',
headers: {
- 'Content-Security-Policy': `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`,
+ 'Content-Security-Policy': `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`,
Refresh:
'0;url=/mock-server-basepath/logout?msg=UNAUTHENTICATED&next=%2Fmock-server-basepath%2Fapp%2Fsome',
},
@@ -590,7 +590,7 @@ describe('AuthenticationService', () => {
expect(mockOnPreResponseToolkit.render).toHaveBeenCalledWith({
body: '',
headers: {
- 'Content-Security-Policy': `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`,
+ 'Content-Security-Policy': `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`,
Refresh:
'0;url=/mock-server-basepath/login?msg=UNAUTHENTICATED&next=%2Fmock-server-basepath%2F',
},
@@ -635,7 +635,7 @@ describe('AuthenticationService', () => {
expect(mockOnPreResponseToolkit.render).toHaveBeenCalledWith({
body: 'rendered-view',
headers: {
- 'Content-Security-Policy': `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`,
+ 'Content-Security-Policy': `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`,
},
});
@@ -667,7 +667,7 @@ describe('AuthenticationService', () => {
expect(mockOnPreResponseToolkit.render).toHaveBeenCalledWith({
body: 'rendered-view',
headers: {
- 'Content-Security-Policy': `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`,
+ 'Content-Security-Policy': `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`,
},
});
@@ -702,7 +702,7 @@ describe('AuthenticationService', () => {
expect(mockOnPreResponseToolkit.render).toHaveBeenCalledWith({
body: 'rendered-view',
headers: {
- 'Content-Security-Policy': `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`,
+ 'Content-Security-Policy': `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`,
},
});
diff --git a/x-pack/test/security_api_integration/tests/anonymous/login.ts b/x-pack/test/security_api_integration/tests/anonymous/login.ts
index 30d5d3ea331207..42e287e061f520 100644
--- a/x-pack/test/security_api_integration/tests/anonymous/login.ts
+++ b/x-pack/test/security_api_integration/tests/anonymous/login.ts
@@ -118,7 +118,7 @@ export default function ({ getService }: FtrProviderContext) {
expect(unauthenticatedResponse.headers['set-cookie']).to.be(undefined);
expect(unauthenticatedResponse.headers['content-security-policy']).to.be(
- `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
+ `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
);
expect(unauthenticatedResponse.text).to.contain('We couldn't log you in');
});
diff --git a/x-pack/test/security_api_integration/tests/kerberos/kerberos_login.ts b/x-pack/test/security_api_integration/tests/kerberos/kerberos_login.ts
index 08780fdd0397dd..a8c50a9b5bfd75 100644
--- a/x-pack/test/security_api_integration/tests/kerberos/kerberos_login.ts
+++ b/x-pack/test/security_api_integration/tests/kerberos/kerberos_login.ts
@@ -98,7 +98,7 @@ export default function ({ getService }: FtrProviderContext) {
// If browser and Kibana can successfully negotiate this HTML won't rendered, but if not
// users will see a proper `Unauthenticated` page.
expect(spnegoResponse.headers['content-security-policy']).to.be(
- `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
+ `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
);
expect(spnegoResponse.text).to.contain('We couldn't log you in');
});
diff --git a/x-pack/test/security_api_integration/tests/login_selector/basic_functionality.ts b/x-pack/test/security_api_integration/tests/login_selector/basic_functionality.ts
index 69b3542b74bfe1..159dba93e7a760 100644
--- a/x-pack/test/security_api_integration/tests/login_selector/basic_functionality.ts
+++ b/x-pack/test/security_api_integration/tests/login_selector/basic_functionality.ts
@@ -404,7 +404,7 @@ export default function ({ getService }: FtrProviderContext) {
.expect(401);
expect(unauthenticatedResponse.headers['content-security-policy']).to.be(
- `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
+ `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
);
expect(unauthenticatedResponse.headers.refresh).to.be(
`0;url=/logout?msg=UNAUTHENTICATED&next=%2F`
@@ -421,7 +421,7 @@ export default function ({ getService }: FtrProviderContext) {
.expect(401);
expect(unauthenticatedResponse.headers['content-security-policy']).to.be(
- `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
+ `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
);
expect(unauthenticatedResponse.headers.refresh).to.be(
`0;url=/login?msg=UNAUTHENTICATED&next=%2F`
@@ -692,7 +692,7 @@ export default function ({ getService }: FtrProviderContext) {
.expect(401);
expect(unauthenticatedResponse.headers['content-security-policy']).to.be(
- `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
+ `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
);
expect(unauthenticatedResponse.headers.refresh).to.be(
`0;url=/logout?msg=UNAUTHENTICATED&next=%2F`
@@ -706,7 +706,7 @@ export default function ({ getService }: FtrProviderContext) {
.expect(401);
expect(unauthenticatedResponse.headers['content-security-policy']).to.be(
- `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
+ `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
);
expect(unauthenticatedResponse.headers.refresh).to.be(
`0;url=/login?msg=UNAUTHENTICATED&next=%2F`
diff --git a/x-pack/test/security_api_integration/tests/oidc/authorization_code_flow/oidc_auth.ts b/x-pack/test/security_api_integration/tests/oidc/authorization_code_flow/oidc_auth.ts
index c0c9ebdf58ff2c..4665c69578fcbc 100644
--- a/x-pack/test/security_api_integration/tests/oidc/authorization_code_flow/oidc_auth.ts
+++ b/x-pack/test/security_api_integration/tests/oidc/authorization_code_flow/oidc_auth.ts
@@ -176,7 +176,7 @@ export default function ({ getService }: FtrProviderContext) {
.expect(401);
expect(unauthenticatedResponse.headers['content-security-policy']).to.be(
- `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
+ `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
);
expect(unauthenticatedResponse.text).to.contain('We couldn't log you in');
});
@@ -188,7 +188,7 @@ export default function ({ getService }: FtrProviderContext) {
.expect(401);
expect(unauthenticatedResponse.headers['content-security-policy']).to.be(
- `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
+ `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
);
expect(unauthenticatedResponse.text).to.contain('We couldn't log you in');
});
diff --git a/x-pack/test/security_api_integration/tests/oidc/implicit_flow/oidc_auth.ts b/x-pack/test/security_api_integration/tests/oidc/implicit_flow/oidc_auth.ts
index b3a04747125e28..8a982d48a9d811 100644
--- a/x-pack/test/security_api_integration/tests/oidc/implicit_flow/oidc_auth.ts
+++ b/x-pack/test/security_api_integration/tests/oidc/implicit_flow/oidc_auth.ts
@@ -70,7 +70,7 @@ export default function ({ getService }: FtrProviderContext) {
'private, no-cache, no-store, must-revalidate'
);
expect(response.headers['content-security-policy']).to.be(
- `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
+ `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
);
// Check that script that forwards URL fragment worked correctly.
@@ -92,7 +92,7 @@ export default function ({ getService }: FtrProviderContext) {
.expect(401);
expect(unauthenticatedResponse.headers['content-security-policy']).to.be(
- `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
+ `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
);
expect(unauthenticatedResponse.text).to.contain('We couldn't log you in');
});
@@ -111,7 +111,7 @@ export default function ({ getService }: FtrProviderContext) {
.expect(401);
expect(unauthenticatedResponse.headers['content-security-policy']).to.be(
- `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
+ `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
);
expect(unauthenticatedResponse.text).to.contain('We couldn't log you in');
});
diff --git a/x-pack/test/security_api_integration/tests/pki/pki_auth.ts b/x-pack/test/security_api_integration/tests/pki/pki_auth.ts
index 2150553267a785..ef9b25df4fd4f7 100644
--- a/x-pack/test/security_api_integration/tests/pki/pki_auth.ts
+++ b/x-pack/test/security_api_integration/tests/pki/pki_auth.ts
@@ -73,7 +73,7 @@ export default function ({ getService }: FtrProviderContext) {
.expect(401);
expect(unauthenticatedResponse.headers['content-security-policy']).to.be(
- `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
+ `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
);
expect(unauthenticatedResponse.text).to.contain('We couldn't log you in');
});
diff --git a/x-pack/test/security_api_integration/tests/saml/saml_login.ts b/x-pack/test/security_api_integration/tests/saml/saml_login.ts
index a246dd4c5675af..86bde771e8651f 100644
--- a/x-pack/test/security_api_integration/tests/saml/saml_login.ts
+++ b/x-pack/test/security_api_integration/tests/saml/saml_login.ts
@@ -189,7 +189,7 @@ export default function ({ getService }: FtrProviderContext) {
.expect(401);
expect(unauthenticatedResponse.headers['content-security-policy']).to.be(
- `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
+ `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
);
expect(unauthenticatedResponse.text).to.contain('We couldn't log you in');
});
@@ -238,7 +238,7 @@ export default function ({ getService }: FtrProviderContext) {
.expect(401);
expect(unauthenticatedResponse.headers['content-security-policy']).to.be(
- `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
+ `script-src 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
);
expect(unauthenticatedResponse.text).to.contain('We couldn't log you in');
});