🪲: Webadmin: lack of hash / nonce for JavaScript module prevents secure CSP #2349
Description
What happened?
The webadmin page currently contains the following inline JavaScript Module
<script type="module">
import init, * as bindings from '/webadmin-1106c72b971bd421.js';
const wasm = await init({ module_or_path: '/webadmin-1106c72b971bd421_bg.wasm' });
window.wasmBindings = bindings;
dispatchEvent(new CustomEvent("TrunkApplicationStarted", {detail: {wasm}}));
</script>
Since this module doesn't have a hash or nonce it forces the use of unsafe-inline CSP, which is less than ideal.
How can we reproduce the problem?
I can reproduce the problem by doing the following steps:
- Implement a CSP without 'unsafe-inline' in your reverse proxy.
- Navigate to webadmin
- Page doesn't load due to CSP violation.
Version
v0.14.x
What database are you using?
RocksDB
What blob storage are you using?
RocksDB
Where is your directory located?
Internal
What operating system are you using?
Linux
Relevant log output
Code of Conduct
- I agree to follow this project's Code of Conduct