Skip to content

OPSEXP-3507 Add unsafe-eval to default CSP for webapps #1265

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gionn merged 2 commits into from
Sep 12, 2025
Merged

OPSEXP-3507 Add unsafe-eval to default CSP for webapps #1265

gionn merged 2 commits into from
Sep 12, 2025

Conversation

Copy link
Contributor

Copilot AI commented Sep 11, 2025
edited by gionn
Loading

OPSEXP-3507

This PR adds the 'unsafe-eval' directive to the default Content Security Policy (CSP) for webapp locations in the nginx configuration.

Changes Made

Updated the nginx_security_headers_webapps CSP policy in roles/nginx/defaults/main.yml to include 'unsafe-eval' in the script-src directive:

Before:

Content-Security-Policy: "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';"

After:

Content-Security-Policy: "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';"

Affected Locations

This change applies to the following webapp endpoints that use the nginx_security_headers_webapps configuration:

  • Root location /
  • API Explorer /api-explorer/
  • Control Center /control-center/
  • Workspace /workspace/

Test Updates

Updated the molecule test expectations in roles/nginx/molecule/default/verify.yml for the /workspace/ location to match the new CSP policy with 'unsafe-eval'.

Notes

  • The /share/ location already had 'unsafe-eval' configured via nginx_security_headers_share and is unaffected by this change
  • The /alfresco/ repository location continues to use nginx_security_headers_repository which has no CSP policy by design
  • All changes are minimal and surgical, only adding the required directive where needed

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@CLAassistant
Copy link

CLAassistant commented Sep 11, 2025

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

Copilot AI changed the title [WIP] add unsafe-eval as default csp for webapps Add unsafe-eval to default CSP for webapps Sep 11, 2025
Copilot AI requested a review from gionn September 11, 2025 15:41
@gionn gionn changed the title Add unsafe-eval to default CSP for webapps OPSEXP-3507 Add unsafe-eval to default CSP for webapps Sep 11, 2025
@gionn gionn requested a review from alxgomz September 11, 2025 15:59
@gionn gionn marked this pull request as ready for review September 11, 2025 16:03
@gionn gionn merged commit c719cbe into master Sep 12, 2025
62 of 63 checks passed
@gionn gionn deleted the copilot/fix-9e84291c-7674-4236-83af-6a357ab25f87 branch September 12, 2025 07:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alxgomz alxgomz Awaiting requested review from alxgomz

1 more reviewer

@gionn gionn gionn approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@gionn gionn

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@CLAassistant @gionn