From 303de935d509bd2ada44f1a3a620d241ea61dbd8 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Wed, 5 May 2021 22:12:56 +0530 Subject: [PATCH 1/4] grafana CSP backward compatible with older browsers --- roles/matrix-grafana/defaults/main.yml | 5 +++++ roles/matrix-grafana/templates/grafana.ini.j2 | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 60c9c7f2..4e5064ab 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -37,6 +37,11 @@ matrix_grafana_default_admin_password: admin # [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy) matrix_grafana_content_security_policy: true +# specify content security policy template to customized template +# added 'unsafe-inline' (ignored by browsers supporting nonces/hashes) to be backward compatible with older browsers. +# added https: and http: url schemes (ignored by browsers supporting 'strict-dynamic') to be backward compatible with older browsers. +matrix_grafana_content_security_policy_customized: true + # A list of extra arguments to pass to the container matrix_grafana_container_extra_arguments: [] diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 index 38534bc3..f442ed47 100644 --- a/roles/matrix-grafana/templates/grafana.ini.j2 +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -8,6 +8,12 @@ admin_password = """{{ matrix_grafana_default_admin_password }}""" # specify content_security_policy to add the Content-Security-Policy header to your requests content_security_policy = "{{ matrix_grafana_content_security_policy }}" +# specify content security policy template to customized template +{% if matrix_synapse_metrics_enabled %} +content_security_policy_template = """script-src http: https: 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" +{% else %} +{% endif %} + [auth.anonymous] # enable anonymous access enabled = {{ matrix_grafana_anonymous_access }} From 37de7fc96a32ef3fb58b5587acd6171a27bcb6e8 Mon Sep 17 00:00:00 2001 From: sakkiii Date: Wed, 5 May 2021 22:25:38 +0530 Subject: [PATCH 2/4] Updated Reference --- roles/matrix-grafana/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/matrix-grafana/defaults/main.yml b/roles/matrix-grafana/defaults/main.yml index 4e5064ab..a5d60338 100644 --- a/roles/matrix-grafana/defaults/main.yml +++ b/roles/matrix-grafana/defaults/main.yml @@ -40,6 +40,8 @@ matrix_grafana_content_security_policy: true # specify content security policy template to customized template # added 'unsafe-inline' (ignored by browsers supporting nonces/hashes) to be backward compatible with older browsers. # added https: and http: url schemes (ignored by browsers supporting 'strict-dynamic') to be backward compatible with older browsers. +# [Content Security Policy Browser Test] (https://content-security-policy.com/browser-test/) +# [Content Security Policy Reference](https://content-security-policy.com/script-src/) matrix_grafana_content_security_policy_customized: true # A list of extra arguments to pass to the container From 0d5fe2d9f71e17551b98a3c5d3bc30d88a595e4e Mon Sep 17 00:00:00 2001 From: sakkiii Date: Thu, 6 May 2021 12:38:40 +0530 Subject: [PATCH 3/4] Update roles/matrix-grafana/templates/grafana.ini.j2 Co-authored-by: Aaron Raimist --- roles/matrix-grafana/templates/grafana.ini.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 index f442ed47..fb351fe9 100644 --- a/roles/matrix-grafana/templates/grafana.ini.j2 +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -9,7 +9,7 @@ admin_password = """{{ matrix_grafana_default_admin_password }}""" content_security_policy = "{{ matrix_grafana_content_security_policy }}" # specify content security policy template to customized template -{% if matrix_synapse_metrics_enabled %} +{% if matrix_grafana_content_security_policy_customized %} content_security_policy_template = """script-src http: https: 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" {% else %} {% endif %} From 9174448e5ec12828a4cf0ff47a23a781524f4d0d Mon Sep 17 00:00:00 2001 From: sakkiii Date: Thu, 6 May 2021 12:46:17 +0530 Subject: [PATCH 4/4] get rid of this {% else %} --- roles/matrix-grafana/templates/grafana.ini.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/matrix-grafana/templates/grafana.ini.j2 b/roles/matrix-grafana/templates/grafana.ini.j2 index fb351fe9..42cfcb12 100644 --- a/roles/matrix-grafana/templates/grafana.ini.j2 +++ b/roles/matrix-grafana/templates/grafana.ini.j2 @@ -11,7 +11,6 @@ content_security_policy = "{{ matrix_grafana_content_security_policy }}" # specify content security policy template to customized template {% if matrix_grafana_content_security_policy_customized %} content_security_policy_template = """script-src http: https: 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data:;base-uri 'self';connect-src 'self' grafana.com;manifest-src 'self';media-src 'none';form-action 'self';""" -{% else %} {% endif %} [auth.anonymous]