Identify CSP test functions (elastic#184456)

mbondyra · May 30, 2024 · 3e44cca · 3e44cca
1 parent 71ea578
commit 3e44cca
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/packages/core/rendering/core-rendering-server-internal/src/views/template.tsx b/packages/core/rendering/core-rendering-server-internal/src/views/template.tsx
@@ -110,7 +110,8 @@ export const Template: FunctionComponent<Props> = ({
         </div>
 
         <script>
-          {`
+          {`// kbnUnsafeInlineTest do not remove this comment:
+            //   it is used for filtering out expected CSP failures, and must be the first piece of content in this script block.
             // Since this is an unsafe inline script, this code will not run
             // in browsers that support content security policy(CSP). This is
             // intentional as we check for the existence of __kbnCspNotEnforced__ in

diff --git a/packages/kbn-handlebars/src/utils.ts b/packages/kbn-handlebars/src/utils.ts
@@ -61,7 +61,9 @@ export function transformLiteralToPath(node: { path: hbs.AST.PathExpression | hb
 
 export function allowUnsafeEval() {
   try {
-    new Function();
+    // Do not remove the `kbnUnsafeEvalTest` parameter.
+    // It is used for filtering out expected CSP failures, and must be the first piece of content in this function.
+    new Function('kbnUnsafeEvalTest', 'return true;');
     return true;
   } catch (e) {
     return false;