fix: remove unsafe-eval CSP (ENG-3437) #56

fwereade · 2024-05-26T06:49:21Z

As discussed in bug, it looks like this may only be necessary for dev mode.

squidsoup · 2024-05-29T22:24:05Z

redash/settings/__init__.py

@@ -115,7 +115,7 @@
 # for more information. E.g.:
 CONTENT_SECURITY_POLICY = os.environ.get(
 "REDASH_CONTENT_SECURITY_POLICY",
- "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval' *.segment.com *.segment.io *.hotjar.com *.hotjar.io; connect-src 'self' *.segment.com *.segment.io *.hotjar.com *.hotjar.io wss://*.hotjar.com wss://*.hotjar.io; font-src 'self' data:; img-src 'self' http: https: data: blob:; object-src 'none'; frame-ancestors 'none'; frame-src redash.io *.segment.com *.segment.io *.hotjar.com *.hotjar.io;",


I believe this is the only change needed to satisfy the resolution of the pentest finding as it only mentions the header, not any calls to eval within redash - we shouldn't need to touch any of the redash libraries. I don't see any indication in the segment or hotjar docs that unsafe-eval is required.

fix: remove unsafe-eval CSP (ENG-3437)

6fbf474

fwereade marked this pull request as draft May 26, 2024 07:14

fwereade added 2 commits May 28, 2024 12:55

try strict plotly

eab7c61

experiment

1dc41ae

squidsoup reviewed May 29, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: remove unsafe-eval CSP (ENG-3437) #56

fix: remove unsafe-eval CSP (ENG-3437) #56

fwereade commented May 26, 2024

squidsoup May 29, 2024 •

edited

Loading

fix: remove unsafe-eval CSP (ENG-3437) #56

Are you sure you want to change the base?

fix: remove unsafe-eval CSP (ENG-3437) #56

Conversation

fwereade commented May 26, 2024

squidsoup May 29, 2024 • edited Loading

Choose a reason for hiding this comment

squidsoup May 29, 2024 •

edited

Loading