https://community.splunk.com/t5/Security/Splunk-and-CSP-functions/m-p/439007#M10275 <P>I'm running nginx with the below security config.</P> <PRE><CODE>add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; </CODE></PRE> <P>When this file is enabled within nginx Splunk web will throw </P> <BLOCKQUOTE> <P>This browser is not supported by<BR /> Splunk. Please refer to the list of<BR /> Supported Browsers.</P> </BLOCKQUOTE> <P>Console shows <BR /> EvalError: call to Function() blocked by CSP common.js:1:30458<BR /> Content Security Policy: The page’s settings blocked the loading of a resource at eval (“default-src”).</P> <P>Mozilla seems to say that the function call is banned ... via <A href="https://developer.mozilla.org/en-US/docs/Archive/B2G_OS/Firefox_OS_apps/Building_apps_for_Firefox_OS/CSP#Applicable_CSP_Restrictions">https://developer.mozilla.org/en-US/docs/Archive/B2G_OS/Firefox_OS_apps/Building_apps_for_Firefox_OS/CSP#Applicable_CSP_Restrictions</A></P> <PRE><CODE>The function constructor is banned You may not use the Function() constructor. Using it will throw a security error. </CODE></PRE> <P>Sooo anyone run into this before ? I'm running Splunk Ent 7.2.3 </P> Mon, 12 Aug 2019 14:10:00 GMT tb5821 2019-08-12T14:10:00Z https://community.splunk.com/t5/Security/Splunk-and-CSP-functions/m-p/439007#M10275 <P>I'm running nginx with the below security config.</P> <PRE><CODE>add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; </CODE></PRE> <P>When this file is enabled within nginx Splunk web will throw </P> <BLOCKQUOTE> <P>This browser is not supported by<BR /> Splunk. Please refer to the list of<BR /> Supported Browsers.</P> </BLOCKQUOTE> <P>Console shows <BR /> EvalError: call to Function() blocked by CSP common.js:1:30458<BR /> Content Security Policy: The page’s settings blocked the loading of a resource at eval (“default-src”).</P> <P>Mozilla seems to say that the function call is banned ... via <A href="https://developer.mozilla.org/en-US/docs/Archive/B2G_OS/Firefox_OS_apps/Building_apps_for_Firefox_OS/CSP#Applicable_CSP_Restrictions">https://developer.mozilla.org/en-US/docs/Archive/B2G_OS/Firefox_OS_apps/Building_apps_for_Firefox_OS/CSP#Applicable_CSP_Restrictions</A></P> <PRE><CODE>The function constructor is banned You may not use the Function() constructor. Using it will throw a security error. </CODE></PRE> <P>Sooo anyone run into this before ? I'm running Splunk Ent 7.2.3 </P> Mon, 12 Aug 2019 14:10:00 GMT https://community.splunk.com/t5/Security/Splunk-and-CSP-functions/m-p/439007#M10275 tb5821 2019-08-12T14:10:00Z https://community.splunk.com/t5/Security/Splunk-and-CSP-functions/m-p/439008#M10276 <P>Chrome seems to debug this a bit differently </P> <PRE><CODE>common.js:1 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'". at new Function (&lt;anonymous&gt;) at Function._.template (common.js:1) at child.&lt;anonymous&gt; (common.js:45) at child.compileTemplate (common.js:1) at child.constructor (common.js:44) at new child (common.js:30) at child.page (account.js:3) at child.execute (common.js:30) at Object.callback (common.js:30) at common.js:30 </CODE></PRE> Mon, 12 Aug 2019 14:13:25 GMT https://community.splunk.com/t5/Security/Splunk-and-CSP-functions/m-p/439008#M10276 tb5821 2019-08-12T14:13:25Z