So I was reading that in Grafana 9 there is an option to disable Angular support which has some of the security violations including requiring the unsafe-eval in the CSP due to its reliance on eval() function.
I want to have secure CSP policies so I tested it out by setting CSP without the unsafe-eval AND unsafe-inline but it still has issues opening the login page due to the absence of unsafe-inline in the CSP values so I was curious is “unsafe-inline” still required for Grafana or is that a bug?
By the way, I did test it without the unsafe-eval and as expected, it worked but it seems the policy “unsafe-inline” is still required in the CSP for Grafana login to open up.
For example, in the older Grafana versions, these were an absolute must:
script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';
and in Grafana 9 with the Angular disabled, only the unsafe-eval can be removed:
script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';