fix: Correct CSP. Fixes #8560 (#8579)

Signed-off-by: Alex Collins <[email protected]>
argoproj · May 2, 2022 · 98dd898 · 98dd898
1 parent 3d892d9
commit 98dd898
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/server/artifacts/artifact_server.go b/server/artifacts/artifact_server.go
@@ -38,7 +38,8 @@ const (
  EnvArgoArtifactXFrameOptions = "ARGO_ARTIFACT_X_FRAME_OPTIONS"
  // DefaultContentSecurityPolicy is the default policy added to the Content-Security-Policy HTTP header
  // if no environment override has been added
- DefaultContentSecurityPolicy = "sandbox; base-uri 'none'; default-src 'none'; img-src 'self'; style-src 'self'"
+ // Validte using https://csp-evaluator.withgoogle.com
+ DefaultContentSecurityPolicy = "sandbox; base-uri 'none'; default-src 'none'; img-src 'self'; style-src 'self'; require-trusted-types-for 'script';"
  // DefaultXFrameOptions is the default value for the X-Frame-Options header
  DefaultXFrameOptions = "SAMEORIGIN"
 )