Inject CSP config via HTML tag rather than inline JavaScript (#31514)

This allows us to support a more flexible set of CSP rules that do not necessarily rely on nonce.
elastic · Feb 20, 2019 · 8aada89 · 8aada89
1 parent 11da27b
commit 8aada89
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 3 deletions.
diff --git a/src/legacy/ui/ui_render/bootstrap/template.js.hbs b/src/legacy/ui/ui_render/bootstrap/template.js.hbs
@@ -1,3 +1,7 @@
+var kbnCsp = JSON.parse(document.querySelector('kbn-csp').getAttribute('data'));
+window.__kbnStrictCsp__ = kbnCsp.strictCsp;
+window.__kbnNonce__ = kbnCsp.nonce;
+
 if (window.__kbnStrictCsp__ && window.__kbnCspNotEnforced__) {
   var legacyBrowserError = document.getElementById('kbn_legacy_browser_error');
   legacyBrowserError.style.display = 'flex';

diff --git a/src/legacy/ui/ui_render/views/chrome.pug b/src/legacy/ui/ui_render/views/chrome.pug
@@ -300,5 +300,6 @@ html(lang=locale)
     block head
 
   body
+    kbn-csp(data=JSON.stringify({ nonce, strictCsp }))
     kbn-injected-metadata(data=JSON.stringify(injectedMetadata))
     block content
diff --git a/src/legacy/ui/ui_render/views/ui_app.pug b/src/legacy/ui/ui_render/views/ui_app.pug
@@ -137,7 +137,4 @@ block content
     // intentional as we check for the existence of __kbnCspNotEnforced__ in
     // bootstrap.
     window.__kbnCspNotEnforced__ = true;
-  script(nonce=nonce).
-    window.__kbnStrictCsp__ = !{strictCsp};
-    window.__kbnNonce__ = '!{nonce}';
   script(src=bootstrapScriptUrl, nonce=nonce)