New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Middleware: Add CSP Report Only support #58074
Conversation
f2a616c
to
160c0d9
Compare
Drone build failed: https://drone.grafana.net/grafana/grafana-enterprise/40469 |
160c0d9
to
9440cfa
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One suggestion and one question. Thank you!
Drone build failed: https://drone.grafana.net/grafana/grafana-enterprise/41579 |
Drone build failed: https://drone.grafana.net/grafana/grafana-enterprise/41596 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The docs look fine to me. I'm looking for a tech review approval from @papagian , @sh0rez , or @idafurjes .
Overall this LGTM @jcalisto 👍 (with the exception of a few minor nitpicks...) I'd like to see a review from @grafana/backend-platform too though! 😉 |
Drone build failed: https://drone.grafana.net/grafana/grafana-enterprise/42103 |
Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
Co-authored-by: Dave Henderson <dave.henderson@grafana.com>
Co-authored-by: Dave Henderson <dave.henderson@grafana.com>
Co-authored-by: Dave Henderson <dave.henderson@grafana.com>
Co-authored-by: Dave Henderson <dave.henderson@grafana.com>
Co-authored-by: Dave Henderson <dave.henderson@grafana.com>
dbdc512
to
7aec06a
Compare
Drone build failed: https://drone.grafana.net/grafana/grafana-enterprise/42115 |
This pull request was removed from the 9.3.0-beta1 milestone because 9.3.0-beta1 is currently being released. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code changes look great, glad to see the consideration put into these changes and improving the general state around the code you changed :)
I haven’t tested or compared the implementation to the spec, fyi
Credits to @hairyhenderson for his great suggestions! |
What is this feature?
Adds a new
content_security_policy_report_only
config to thesecurity
section, to allow setting aContent-Security-Policy-Report-Only
in the middleware.A Content-Security-Policy-Report-Only allows to experiment a policy and monitor the effects without enforcing it.
Which issue(s) does this PR fix?:
https://github.com/grafana/hosted-grafana/issues/2681
It will help us investigating the impact of enabling the CSP on cloud instances, and can also be useful for other users trying to experiment with their own CSP.
Special notes for your reviewer:
There was a need to refactor the CSP middleware function as there is common behaviour between the CSP and CSP-Report-Only headers (i.e., policy nonce and policy variables).