Merge pull request spinnaker#231 from OpsMx/bugfix/OP-16541-4-0-csp

kirangodishala · Aug 8, 2022 · a62667a · a62667a
2 parents c77a81d + c214856
commit a62667a
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/gate-core/src/main/groovy/com/netflix/spinnaker/gate/config/AuthConfig.groovy b/gate-core/src/main/groovy/com/netflix/spinnaker/gate/config/AuthConfig.groovy
@@ -94,6 +94,9 @@ class AuthConfig {
   @Value('${allowUnauthenticatedAccess.webhooks:false}')
   boolean isSpinnakerWebhooksUnauthenticatedAccessEnabled
 
+  @Value('${security.contentSecurityPolicy:\'object-src \'none\'; script-src \'unsafe-eval\' \'unsafe-inline\' https: http:;\'}')
+  String contentSecurityPolicy
+
   void configure(HttpSecurity http) throws Exception {
     // @formatter:off
     if(isAgentAPIUnauthenticatedAccessEnabled && isSpinnakerWebhooksUnauthenticatedAccessEnabled){
@@ -330,6 +333,8 @@ class AuthConfig {
       http.authorizeRequests().antMatchers(HttpMethod.POST, '/webhooks/**').authenticated()
     }
 
+    http.headers().contentSecurityPolicy(contentSecurityPolicy)
+
     http.logout()
         .logoutUrl("/auth/logout")
         .logoutSuccessHandler(permissionRevokingLogoutSuccessHandler)

diff --git a/gate-web/config/gate.yml b/gate-web/config/gate.yml
@@ -121,6 +121,7 @@ spring:
   profiles: googleOAuth
 
 security:
+  contentSecurityPolicy: "object-src 'none'; script-src 'unsafe-eval' 'unsafe-inline' https: http:;"
   oauth2:
     client:
       # Set these values in your own config file (e.g. spinnaker-local.yml or gate-googleOAuth.yml).