nthsky opened a new pull request, #2601:
URL: https://github.com/apache/apisix-dashboard/pull/2601
**Why submit this pull request?**
- Bugfix
**What changes will this PR take into?**
It changes dashboard default CSP. Add `unsafe-inline` to `script-src` and
add `img-src`
Current default csp policy is
```
"default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self'
'unsafe-inline'"
```
**Problems:**
1. script-src without "unsafe-inline" cause error like this:
```
Refused to execute inline script because it violates the following Content
Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the
'unsafe-inline' keyword, a hash
('sha256-9B0adsvsNyel0bNudomHjhrSk758zuql+j59Udq5xCo='), or a nonce
('nonce-...') is required to enable inline execution.
```
2. no img-src cause that the plugin page without icon using base64 img
cannot show correctly.
**Changes:**
After, default CSP changes to
```
"default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline';
style-src 'self' 'unsafe-inline'; img-src 'self' data:"
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
