I noticed that Jupyter server’s default CSP policy doesn’t have any restrictions on script/style/font src. I’m looking into adding a strict CSP policy to improve security. I noticed that there are few script/style definitions in the JupyterLab code that requires unsafe-eval
and unsafe-inline
directives in CSP. Since it is not recommended to add those unsafe directives, checking to know if I’m missing some configurations/settings and whats the recommendation for CSP from Jupyter team. Thanks!
Default CSP headers: https://github.com/jupyter-server/jupyter_server/blob/b1388b55eebe868e25c33d4ccc4c835fadb5381a/jupyter_server/base/handlers.py#L87-L93