-
Notifications
You must be signed in to change notification settings - Fork 404
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RUM without setting CSP 'unsafe-inline'? #133
Comments
Hi @jbuck I had a chat with our browser team about this. Unfortunately the browser agent will not be compatible with CSP until version 1.1. My understanding is that the timing and instrumentation of the browser agent is sensitive enough that loading via a script would disrupt the accuracy of the info. There is also a lot of request-specific information loaded in the inlined script. There may be a workaround where you generate the header, store it in another route, then load that as an external script. I can't say if this would even work, and the use case probably wouldn't be recognized by our support team. Anyways, sorry we can't find a better solution. I'm sure our browser team would love to support CSP as-is, but it would seriously degrade the experience and accuracy of the agent. |
…/elasticsearch/undici-5.26.3 chore(deps): bump undici from 5.22.1 to 5.26.3 in /elasticsearch
NEWRELIC-5896 Updated koa instrumentation to support ESM
Thank you for enabling RUM for the Node agent! It's working great, and we're getting tons of data.
The only downside to enabling RUM is that you can't use it with CSP unless you also allow 'unsafe-inline'. This removes one of the key protections against XSS attacks. I know that CSP 1.1 will solve this in the future by letting you set integrity hashes, but that's probably not going to be available widely for another year or so.
For those of us that want the security of CSP combined with the information that newrelic provides, would it be possible to split the configuration and javascript? As a strawman, if you called
newrelic.getBrowserTimingConfig()
in your view, it would output:And then you have
newrelic.getBrowserTimingAgent()
which provides a URL to load it, maybe?<script src="{{ newrelic.getBrowserTimingAgent() }}"></script>
Anyways, however it's possible, I'd love newrelic and CSP to co-exist.
The text was updated successfully, but these errors were encountered: