[phosphor-webui] Enable style-src 'unsafe-inline'

Henbin Chang henbinchang at gmail.com
Fri May 17 17:05:45 AEST 2019


Hi,
We would like to use angular-ui-grid module to support grid feature.

We found angular-ui-grid used a lot of inline styles.

To make it workable, we had to add "unsafe-inline" to CSP.
So we added the below modification in the phosphor-webui/webpack.config.js
     new CSPWebpackPlugin({
       'base-uri': '\'self\'',
       'object-src': '\'none\'',
   'script-src': ['\'self\''],
-      'style-src': ['\'self\''],
+      'style-src': ['\'self\'', '\'unsafe-inline\'' ],

But the grid could still not work.

Then we tried to modify the content of  CSP in the bmcweb
(include/security_headers_middleware.hpp)

@@ -41,7 +41,7 @@ struct SecurityHeadersMiddleware
       // img-src 'self' data: is used to allow that.
       //
https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28
       res.addHeader("Content-Security-Policy",
-                      "default-src 'self'; img-src 'self' data:");
+                      "default-src 'self'; style-src 'self'
'unsafe-inline'; img-src 'self' data:");
       res.addHeader("X-XSS-Protection", "1; "
                                           "mode=block");
       res.addHeader("X-Content-Type-Options", "nosniff");

The grid could be displayed normally.

Can anyone tell me why the modified CSP in the webpack.config.js had no
effect?

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20190517/36147aca/attachment.htm>


More information about the openbmc mailing list