fix: change default CSP value (#2601)
Co-authored-by: Zeping Bai <bzp2010@apache.org>
diff --git a/api/conf/conf.yaml b/api/conf/conf.yaml
index 7c41e06..28a542b 100644
--- a/api/conf/conf.yaml
+++ b/api/conf/conf.yaml
@@ -66,7 +66,7 @@
# access_control_allow_headers: "Authorization"
# access_control-allow_methods: "*"
# x_frame_options: "deny"
- # content_security_policy: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-src xx.xx.xx.xx:3000" # You can set frame-src to provide content for your grafana panel.
+ # content_security_policy: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src xx.xx.xx.xx:3000" # You can set frame-src to provide content for your grafana panel.
authentication:
secret:
diff --git a/api/internal/conf/conf.go b/api/internal/conf/conf.go
index 83c8e6d..077a178 100644
--- a/api/internal/conf/conf.go
+++ b/api/internal/conf/conf.go
@@ -41,6 +41,8 @@
EnvTEST = "test"
WebDir = "html/"
+
+ DefaultCSP = "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:"
State = "123456"
)
@@ -414,7 +416,7 @@
if conf != se {
SecurityConf = conf
if conf.ContentSecurityPolicy == "" {
- SecurityConf.ContentSecurityPolicy = "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+ SecurityConf.ContentSecurityPolicy = DefaultCSP
}
if conf.XFrameOptions == "" {
SecurityConf.XFrameOptions = "deny"
@@ -424,6 +426,6 @@
SecurityConf = Security{
XFrameOptions: "deny",
- ContentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'",
+ ContentSecurityPolicy: DefaultCSP,
}
}
