Consider implementing CSP headers on our HTTP UI Server #12553
Labels
kind/feature
New feature
triage/accepted
The issue was reviewed and is complete enough to start working on it
Comments
johncowen
added
kind/feature
lukidzi
added
triage/accepted
|
Just wanted to note on here, that we could also just document which CSP headers are needed, not necessarily always add them. (I'm guessing we already have the ability to add headers to the |
johncowen
added a commit
to kumahq/kuma-gui
that referenced
this issue
Feb 20, 2025
Adds stricter CSP headers to our development vite server. Whilst this is dev time only, it ensures that our GUI runs on a similarly configured server (such as kumahq/kuma#12553) --- As mentioned in other places, it would be good to add work so we can remove the `style-src 'unsafe-inline'`. This will require a globally available `v-style` directive which adds/removes/modifies styles imperatively behind the scenes. Testing: Using `make run`, add the following or similar anchor with an inline script and click it. <img width="1719" alt="Untitled-1" src="https://github.com/user-attachments/assets/8d493851-9a92-45fe-95e6-b67ea4606a5c" /> --------- Signed-off-by: John Cowen <john.cowen@konghq.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Discuss with frontend which policies we can apply.
The text was updated successfully, but these errors were encountered: