Remove `unsafe-inline` from CSP
What does this MR do and why?
Related to #450699
unsafe-inline
doesn't do anything in the presence of a nonce
attribute and we have one on all pages. Security scanners tend to report this as a vulnerability (and neglect that we also have a nonce
) so it's worth removing if only to avoid the noise and confusion from those scanners.
This will NOT have any impact on GitLab.com as of now because we still use the hard-coded version in https://gitlab.com/gitlab-com/gl-infra/k8s-workloads/gitlab-com/-/blob/b59e12e32738accf65fc8dcdb1a8f748f67fd15d/releases/gitlab/values/gprd.yaml.gotmpl#L919 which overrides the change here. I will change this in a separate MR after this gets deployed to staging for a bit.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
N/A
How to set up and validate locally
Observe the Content-Security-Policy
header in your browser's dev tools or with curl
and notice that unsafe-inline
isn't there in the script-src
directive.
$ curl -is http://gdk.test:3000/explore | grep -i content-security-policy | grep -oE 'script-src[^;]*'
script-src 'strict-dynamic' 'self' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net 'nonce-wDfNMIcEN5Jvhds3ru7zow=='