Skip to content

feat: support overriding CSP & using nonce #470

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 7, 2025
Merged

feat: support overriding CSP & using nonce #470

merged 4 commits into from
Oct 7, 2025

Conversation

bvs-langchain
Copy link
Contributor

  • adds includeNonce option to optionally replace %%NONCE%% in bundle with a nonce value to support stricter CSP
  • adds cspHeader option using current value as default to allow overriding CSP

eric-langchain
eric-langchain reviewed Oct 7, 2025
View reviewed changes
charts/langsmith/templates/frontend/config-map.yaml
keepalive_timeout {{ .Values.frontend.keepAliveTimeout }};
add_header Content-Security-Policy "frame-ancestors 'self'; object-src 'none'" always;
add_header Content-Security-Policy "{{ .Values.frontend.cspHeader }}" always;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does user have to set:

"script-src 'nonce-$request_id' 'strict-dynamic'; style-src 'nonce-$request_id' 'strict-dynamic';" always;

themselves?

Copy link
Contributor Author

@bvs-langchain bvs-langchain Oct 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, we could pass through the LangSmith domain and avoid this config option, but I think slightly preferred to have the flexibility, at least while this is under development

@bvs-langchain bvs-langchain merged commit 2c16277 into main Oct 7, 2025
4 checks passed
@bvs-langchain bvs-langchain deleted the brian/ent-120-strict-csp branch October 7, 2025 21:59
romain-priour-lc pushed a commit that referenced this pull request Oct 9, 2025
@bvs-langchain @romain-priour-lc
feat: support overriding CSP & using nonce (#470)
bcf1b08 
* feat: support overriding CSP & using nonce

* readme, chart version

* version bump
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eric-langchain eric-langchain eric-langchain approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bvs-langchain @eric-langchain