Web Interface needs Content Security Policy including 'unsafe-eval'

Open aburmeis opened this issue 5 years ago • 0 comments

By proxying the Graylog server and adding a CSP Header we figured out we need the following to make the UI work:

Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; img-src 'self' data:;

This is completely fine except the script-src 'unsafe-eval', you may also have a look at SO. Without that source, the UI crashes here:

[Error] TypeError: undefined is not an object (evaluating 'c.listSearchesClusterConfig().then')
	refresh (app.4678e54c30f1075e4dd8.js:96:167544)
	refresh
	init (app.4678e54c30f1075e4dd8.js:96:167432)
	init
	f (vendor.8d6aa5835c8302c41e2f.js:42:39178)
	(anonyme Funktion) (vendor.8d6aa5835c8302c41e2f.js:42:39319)
	r (app.4678e54c30f1075e4dd8.js:76:33361)
	sHKot7sx (app.4678e54c30f1075e4dd8.js:96:167330)
	o (app.4678e54c30f1075e4dd8.js:1:378)
	Mw0fhIVr (app.4678e54c30f1075e4dd8.js:53:152956)
	o (app.4678e54c30f1075e4dd8.js:1:378)
	95eaLShZ (app.4678e54c30f1075e4dd8.js:25:102305)
	o (app.4678e54c30f1075e4dd8.js:1:378)
	(anonyme Funktion) (app.4678e54c30f1075e4dd8.js:1:2409)
	Globaler Code (app.4678e54c30f1075e4dd8.js:1:2426)```

Tested with Graylog 3.3.8

Oct 23 '20 13:10 aburmeis