Skip to content

Remove `unsafe-inline` from CSP

Dominic Couture requested to merge dcouture-remove-unsafe-inline into master

What does this MR do and why?

Related to #450699

unsafe-inline doesn't do anything in the presence of a nonce attribute and we have one on all pages. Security scanners tend to report this as a vulnerability (and neglect that we also have a nonce) so it's worth removing if only to avoid the noise and confusion from those scanners.

This will NOT have any impact on GitLab.com as of now because we still use the hard-coded version in https://gitlab.com/gitlab-com/gl-infra/k8s-workloads/gitlab-com/-/blob/b59e12e32738accf65fc8dcdb1a8f748f67fd15d/releases/gitlab/values/gprd.yaml.gotmpl#L919 which overrides the change here. I will change this in a separate MR after this gets deployed to staging for a bit.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

N/A

How to set up and validate locally

Observe the Content-Security-Policy header in your browser's dev tools or with curl and notice that unsafe-inline isn't there in the script-src directive.

$ curl -is http://gdk.test:3000/explore | grep -i content-security-policy | grep -oE 'script-src[^;]*'
script-src 'strict-dynamic' 'self' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net 'nonce-wDfNMIcEN5Jvhds3ru7zow=='
Edited by Dominic Couture

Merge request reports