Skip to content

Harden alert-ui credential handling and isolate XSS blast radius with strict CSP#30

Draft
xoth42 with Copilot wants to merge 3 commits into
mainfrom
copilot/eliminate-raw-grafana-credentials
Draft

Harden alert-ui credential handling and isolate XSS blast radius with strict CSP#30
xoth42 with Copilot wants to merge 3 commits into
mainfrom
copilot/eliminate-raw-grafana-credentials

Conversation

Copilot AI commented May 31, 2026

Copy link
Copy Markdown
Contributor

The alert UI previously persisted Grafana Basic credentials in sessionStorage, making credential theft straightforward under any same-origin script execution (including UI or Grafana-side XSS). This update removes browser credential persistence and tightens client-side execution policy for /alerts/*.

  • Credential exposure reduction (no browser storage)

    • Removed sessionStorage-backed auth state from alert-ui/app.js.
    • Kept auth header in runtime memory only for the active page session.
    • Preserved existing login/logout and API call behavior without long-lived browser-stored secrets.
  • XSS hardening via CSP-compatible UI event model

    • Removed inline onclick usage from alert-ui/index.html.
    • Migrated to JS-bound listeners/delegated handlers in alert-ui/app.js.
    • This enables enforcement of non-inline script execution for alert UI pages.
  • Strict CSP on alert UI routes

    • Added Content-Security-Policy for /alerts/* in config/caddy/Caddyfile.
    • Policy restricts script origin to self, blocks plugin/object execution, disallows framing, and narrows base/form behavior.
  • Operational guidance updates

    • Updated login prompt and README.md to discourage admin login via alert UI.
    • Documented future direction toward backend-managed sessions (cookie + server-side session ID) if scope expands.
handle_path /alerts/* {
    header Content-Security-Policy "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'self'"
    root * /srv/alert-ui
    file_server
}

Copilot AI changed the title [WIP] Eliminate raw Grafana credentials from browser storage Harden alert-ui credential handling and isolate XSS blast radius with strict CSP May 31, 2026
Copilot finished work on behalf of xoth42 May 31, 2026 21:56
Copilot AI requested a review from xoth42 May 31, 2026 21:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Eliminate raw Grafana credentials from browser storage and enhance XSS protections

2 participants