I'm running nginx with the below security config.
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
When this file is enabled within nginx Splunk web will throw
This browser is not supported by
Splunk. Please refer to the list of
Supported Browsers.
Console shows
EvalError: call to Function() blocked by CSP common.js:1:30458
Content Security Policy: The page’s settings blocked the loading of a resource at eval (“default-src”).
Mozilla seems to say that the function call is banned ... via https://developer.mozilla.org/en-US/docs/Archive/B2G_OS/Firefox_OS_apps/Building_apps_for_Firefox_OS...
The function constructor is banned
You may not use the Function() constructor. Using it will throw a security error.
Sooo anyone run into this before ? I'm running Splunk Ent 7.2.3
Chrome seems to debug this a bit differently
common.js:1 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".
at new Function (<anonymous>)
at Function._.template (common.js:1)
at child.<anonymous> (common.js:45)
at child.compileTemplate (common.js:1)
at child.constructor (common.js:44)
at new child (common.js:30)
at child.page (account.js:3)
at child.execute (common.js:30)
at Object.callback (common.js:30)
at common.js:30