preserving worker-src directive

thomasneirynck · thomasneirynck · commit 380d5798a022 · 2019-12-03T14:37:51.000-05:00
diff --git a/src/legacy/server/csp/index.test.ts b/src/legacy/server/csp/index.test.ts
@@ -40,6 +40,7 @@ test('default CSP rules', () => {
   expect(DEFAULT_CSP_RULES).toMatchInlineSnapshot(`
     Array [
       "script-src 'unsafe-eval' 'self'",
+      "worker-src blob: 'self'",
       "style-src 'unsafe-inline' 'self'",
     ]
   `);
diff --git a/src/legacy/server/csp/index.ts b/src/legacy/server/csp/index.ts
@@ -19,6 +19,7 @@
 
 export const DEFAULT_CSP_RULES = Object.freeze([
   `script-src 'unsafe-eval' 'self'`,
+  `worker-src blob: 'self'`,
   `style-src 'unsafe-inline' 'self'`,
 ]);
 
diff --git a/test/api_integration/apis/general/csp.js b/test/api_integration/apis/general/csp.js
@@ -37,6 +37,7 @@ export default function ({ getService }) {
       const entries = Array.from(parsed.entries());
       expect(entries).to.eql([
         [ 'script-src', [ '\'unsafe-eval\'', '\'self\'' ] ],
+        [ 'worker-src', [ 'blob:', '\'self\'' ] ],
         [ 'style-src', [ '\'unsafe-inline\'', '\'self\'' ] ]
       ]);
     });
diff --git a/x-pack/test/oidc_api_integration/apis/implicit_flow/oidc_auth.ts b/x-pack/test/oidc_api_integration/apis/implicit_flow/oidc_auth.ts
@@ -61,7 +61,7 @@ export default function({ getService }: FtrProviderContext) {
         expect(response.headers['content-type']).to.be('text/html; charset=utf-8');
         expect(response.headers['cache-control']).to.be('private, no-cache, no-store');
         expect(response.headers['content-security-policy']).to.be(
-          `script-src 'unsafe-eval' 'self'; style-src 'unsafe-inline' 'self'`
+          `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
         );
 
         // Check that script that forwards URL fragment worked correctly.
diff --git a/x-pack/test/saml_api_integration/apis/security/saml_login.ts b/x-pack/test/saml_api_integration/apis/security/saml_login.ts
@@ -142,7 +142,7 @@ export default function({ getService }: FtrProviderContext) {
         expect(response.headers['content-type']).to.be('text/html; charset=utf-8');
         expect(response.headers['cache-control']).to.be('private, no-cache, no-store');
         expect(response.headers['content-security-policy']).to.be(
-          `script-src 'unsafe-eval' 'self'; style-src 'unsafe-inline' 'self'`
+          `script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'`
         );
 
         // Check that script that forwards URL fragment worked correctly.

Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,7 @@ test('default CSP rules', () => {`
`40`	`40`	expect(DEFAULT_CSP_RULES).toMatchInlineSnapshot(`
`41`	`41`	`Array [`
`42`	`42`	`"script-src 'unsafe-eval' 'self'",`
	`43`	`+ "worker-src blob: 'self'",`
`43`	`44`	`"style-src 'unsafe-inline' 'self'",`
`44`	`45`	`]`
`45`	`46`	`);