Replies: 1 comment 2 replies
-
Hello, as you may have heard, we are transitioning away from using discussions to discuss feature requests. This is phrased as a discussion, and we'd like discussions about grafana to go to our community forum. Thank you! |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Currently in development. Trusted types is an experimental Javascript API with limited browser support.
Trusted types reduce the risk of DOM XSS by enforcing developers to sanitize strings that are used in injection sinks, such as setting
innerHTML
on an element. Furthermore, when enabling trusted types, these injection sinks need to go through a policy that will sanitize, or leave the string intact and return it as "safe". This provides some protection from client side injection vulnerabilities in third party libraries, such as jQuery, Angular and even third party plugins.To enable trusted types in enforce mode, where injection sinks are automatically sanitized:
content_security_policy
in the configuration.require-trusted-types-for 'script'
to thecontent_security_policy_template
in the configuration.To enable trusted types in report mode, where inputs that have not been sanitized with trusted types will be logged to the console:
content_security_policy_report_only
in the configuration.require-trusted-types-for 'script'
to thecontent_security_policy_report_only_template
in the configuration.As this is very early stages and we do not yet know the full extent of issues that may appear, it is important that we get feedback from the community about things breaking. Please leave a comment!
Beta Was this translation helpful? Give feedback.
All reactions