Skip to content

OCPBUGS-48740: Remove unnecessary object-src directive #2176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jan 29, 2025
Merged

OCPBUGS-48740: Remove unnecessary object-src directive #2176

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 3 additions & 10 deletions console/v1/types_console_plugin.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ type ConsolePluginSpec struct {
// from a cluster service.
// CSP violation reports can be viewed in the browser's console logs during development and
// testing of the plugin in the OpenShift web console.
// Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc, ObjectSrc and ConnectSrc.
// Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc and ConnectSrc.
// Each of the available directives may be defined only once in the list.
// The value 'self' is automatically included in all fetch directives by the OpenShift web
// console's backend.
Expand Down Expand Up @@ -101,7 +101,7 @@ type ConsolePluginSpec struct {

// DirectiveType is an enumeration of OpenShift web console supported CSP directives.
// LoadType is an enumeration of i18n loading types.
// +kubebuilder:validation:Enum:="DefaultSrc";"ScriptSrc";"StyleSrc";"ImgSrc";"FontSrc";"ObjectSrc";"ConnectSrc"
// +kubebuilder:validation:Enum:="DefaultSrc";"ScriptSrc";"StyleSrc";"ImgSrc";"FontSrc";"ConnectSrc"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When did this object ship? Removing a value from an enum is technically a breaking change, has this shipped only in 4.19?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it was added just recently, last week

// +enum
type DirectiveType string

Expand All @@ -126,10 +126,6 @@ const (
// For more information about the FontSrc directive, see:
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
FontSrc DirectiveType = "FontSrc"
// ObjectSrc directive specifies valid sources for the <object> and <embed> elements.
// For more information about the ObjectSrc directive, see:
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
ObjectSrc DirectiveType = "ObjectSrc"
// ConnectSrc directive restricts the URLs which can be loaded using script interfaces.
// For more information about the ConnectSrc directive, see:
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
Expand All @@ -151,7 +147,7 @@ type CSPDirectiveValue string
// ConsolePluginCSP holds configuration for a specific CSP directive
type ConsolePluginCSP struct {
// directive specifies which Content-Security-Policy directive to configure.
// Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc, ObjectSrc and ConnectSrc.
// Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc and ConnectSrc.
// DefaultSrc directive serves as a fallback for the other CSP fetch directives.
// For more information about the DefaultSrc directive, see:
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
Expand All @@ -167,9 +163,6 @@ type ConsolePluginCSP struct {
// FontSrc directive specifies valid sources for fonts loaded using @font-face.
// For more information about the FontSrc directive, see:
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
// ObjectSrc directive specifies valid sources for the <object> and <embed> elements.
// For more information about the ObjectSrc directive, see:
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
// ConnectSrc directive restricts the URLs which can be loaded using script interfaces.
// For more information about the ConnectSrc directive, see:
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
Expand Down
8 changes: 2 additions & 6 deletions console/v1/zz_generated.crd-manifests/90_consoleplugins-CustomNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ spec:
from a cluster service.
CSP violation reports can be viewed in the browser's console logs during development and
testing of the plugin in the OpenShift web console.
Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc, ObjectSrc and ConnectSrc.
Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc and ConnectSrc.
Each of the available directives may be defined only once in the list.
The value 'self' is automatically included in all fetch directives by the OpenShift web
console's backend.
Expand Down Expand Up @@ -151,7 +151,7 @@ spec:
directive:
description: |-
directive specifies which Content-Security-Policy directive to configure.
Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc, ObjectSrc and ConnectSrc.
Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc and ConnectSrc.
DefaultSrc directive serves as a fallback for the other CSP fetch directives.
For more information about the DefaultSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
Expand All @@ -167,9 +167,6 @@ spec:
FontSrc directive specifies valid sources for fonts loaded using @font-face.
For more information about the FontSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
ObjectSrc directive specifies valid sources for the <object> and <embed> elements.
For more information about the ObjectSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
ConnectSrc directive restricts the URLs which can be loaded using script interfaces.
For more information about the ConnectSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
Expand All @@ -179,7 +176,6 @@ spec:
- StyleSrc
- ImgSrc
- FontSrc
- ObjectSrc
- ConnectSrc
type: string
values:
Expand Down
8 changes: 2 additions & 6 deletions console/v1/zz_generated.crd-manifests/90_consoleplugins-DevPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ spec:
from a cluster service.
CSP violation reports can be viewed in the browser's console logs during development and
testing of the plugin in the OpenShift web console.
Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc, ObjectSrc and ConnectSrc.
Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc and ConnectSrc.
Each of the available directives may be defined only once in the list.
The value 'self' is automatically included in all fetch directives by the OpenShift web
console's backend.
Expand Down Expand Up @@ -151,7 +151,7 @@ spec:
directive:
description: |-
directive specifies which Content-Security-Policy directive to configure.
Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc, ObjectSrc and ConnectSrc.
Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc and ConnectSrc.
DefaultSrc directive serves as a fallback for the other CSP fetch directives.
For more information about the DefaultSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
Expand All @@ -167,9 +167,6 @@ spec:
FontSrc directive specifies valid sources for fonts loaded using @font-face.
For more information about the FontSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
ObjectSrc directive specifies valid sources for the <object> and <embed> elements.
For more information about the ObjectSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
ConnectSrc directive restricts the URLs which can be loaded using script interfaces.
For more information about the ConnectSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
Expand All @@ -179,7 +176,6 @@ spec:
- StyleSrc
- ImgSrc
- FontSrc
- ObjectSrc
- ConnectSrc
type: string
values:
Expand Down
8 changes: 2 additions & 6 deletions console/v1/zz_generated.crd-manifests/90_consoleplugins-TechPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ spec:
from a cluster service.
CSP violation reports can be viewed in the browser's console logs during development and
testing of the plugin in the OpenShift web console.
Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc, ObjectSrc and ConnectSrc.
Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc and ConnectSrc.
Each of the available directives may be defined only once in the list.
The value 'self' is automatically included in all fetch directives by the OpenShift web
console's backend.
Expand Down Expand Up @@ -151,7 +151,7 @@ spec:
directive:
description: |-
directive specifies which Content-Security-Policy directive to configure.
Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc, ObjectSrc and ConnectSrc.
Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc and ConnectSrc.
DefaultSrc directive serves as a fallback for the other CSP fetch directives.
For more information about the DefaultSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
Expand All @@ -167,9 +167,6 @@ spec:
FontSrc directive specifies valid sources for fonts loaded using @font-face.
For more information about the FontSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
ObjectSrc directive specifies valid sources for the <object> and <embed> elements.
For more information about the ObjectSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
ConnectSrc directive restricts the URLs which can be loaded using script interfaces.
For more information about the ConnectSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
Expand All @@ -179,7 +176,6 @@ spec:
- StyleSrc
- ImgSrc
- FontSrc
- ObjectSrc
- ConnectSrc
type: string
values:
Expand Down
8 changes: 2 additions & 6 deletions ...crd-manifests/consoleplugins.console.openshift.io/ConsolePluginContentSecurityPolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ spec:
from a cluster service.
CSP violation reports can be viewed in the browser's console logs during development and
testing of the plugin in the OpenShift web console.
Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc, ObjectSrc and ConnectSrc.
Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc and ConnectSrc.
Each of the available directives may be defined only once in the list.
The value 'self' is automatically included in all fetch directives by the OpenShift web
console's backend.
Expand Down Expand Up @@ -149,7 +149,7 @@ spec:
directive:
description: |-
directive specifies which Content-Security-Policy directive to configure.
Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc, ObjectSrc and ConnectSrc.
Available directive types are DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc and ConnectSrc.
DefaultSrc directive serves as a fallback for the other CSP fetch directives.
For more information about the DefaultSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
Expand All @@ -165,9 +165,6 @@ spec:
FontSrc directive specifies valid sources for fonts loaded using @font-face.
For more information about the FontSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
ObjectSrc directive specifies valid sources for the <object> and <embed> elements.
For more information about the ObjectSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
ConnectSrc directive restricts the URLs which can be loaded using script interfaces.
For more information about the ConnectSrc directive, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
Expand All @@ -177,7 +174,6 @@ spec:
- StyleSrc
- ImgSrc
- FontSrc
- ObjectSrc
- ConnectSrc
type: string
values:
Expand Down
Loading