forked from elastic/kibana
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add csp.disableUnsafeEval config option to remove the unsafe-eval CSP (…
…elastic#124484) Adds a new experimental Kibana setting called `csp.disableUnsafeEval` which will default to `false`. When set to `true`, it will remove `unsafe-eval` from our CSP. Also introduces a new module called `@kbn/handlebars` which is a replacement for the official `handlebars` module used in the frontend. This new module is necessary in order to avoid calling `eval`/`new Function` from within `handlebars` which is not allowed once `unsafe-eval` is removed from our CSP. The `@kbn/handlebars` module is simply an extension of the main `handlebars` module which adds a new compile function called `compileAST` (as an alternative to the regular `compile` function). This new function will not use code-generation from strings to compile the template but will instead generate an AST and return a render function with the same API as the function returned by the regular `compile` function. This is a little bit slower method, but since this is only meant to be used client-side, the slowdown should not be an issue. The following limitations exists when using `@kbn/handlebars`: The Inline partials handlebars template feature is not supported. Only the following compile options will be supported: - `knownHelpers` - `knownHelpersOnly` - `strict` - `assumeObjects` - `noEscape` - `data` Only the following runtime options will be supported: - `helpers` - `blockParams` - `data` Closes elastic#36311
- Loading branch information
Showing
78 changed files
with
11,036 additions
and
309 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.