Unsafe Content-Security-Policy header

[taha2009]

Kibana version: 7.7.0

Elasticsearch version: 7.7.0

Server OS version: CentOS

Browser version: Chrome 85.0.4183.83

Browser OS version: Windows 10

Original install method (e.g. download page, yum, from source, etc.): Docker image

Describe the bug:
Currentry the content security policy for kibana is following : "content-security-policy: script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'"

The CSP header of the Kibana includes an unsafe CSP parameter for "script-src" i.e ''unsafe-inline' 'unsafe-eval'.
The "script-src" parameter is set to "unsafe-inline", 'unsafe-eval' which allows injection of the user passed values, which can be misused for Cross-Site Scripting attacks. As a best practice, this value should not be included as a "script-src" parameter, if possible.

We tried to simply remove unsafe-eval but it seems UI does not support it yet.

Steps to reproduce:

1. Go to Kibana UI
2. Check CSP policy of any call.

Expected behavior:
Try to avoid configuring insecure CSP header. Do not set ''unsafe-inline' in any directive of CSP header. As a security best practice, this value should not be included, if possible.

You can use a nonce or a hash to remove 'unsafe-eval' and 'unsafe-inline' from CSP.

Any additional context:
NA

[monfera]

Hello @taha2009 - is csp:strict set to true in kibana.yaml? https://www.elastic.co/guide/en/kibana/master/production.html#csp-strict-mode

[taha2009]

Thanks @monfera for your response.

I did set csp.strict to true but that does not seem to change csp policy.

I believe csp.rules is used to change default csp policy. As i mentioned in the original post, removing unsafe-eval using this property causes UI to crash

[monfera]

Thanks for the extra info. I didn't interpret

We tried to simply remove unsafe-eval but it seems UI does not support it yet.

as

As i mentioned in the original post, removing unsafe-eval using this property causes UI to crash

I thought it refers to no configurability via the UI.

Could you please add details on how it crashes? Eg. screenshot and console log in Dev Tools

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[taha2009]

sure with following rule:
csp.rules: ["script-src 'self'", "worker-src blob: 'self'", "style-src 'unsafe-inline' 'self'"]

where i have removed "unsafe-eval" from script-src, following issues are visible on ui and console

[taha2009]

With folloing policy:
csp.rules: ["script-src 'unsafe-eval' 'self'", "worker-src blob: 'self'", "style-src 'self'"]

where "unsafe-inline" is removed from style src, following issue occurs on ui and console, In UI you can dev console is malformed

[taha2009]

Following is the recommendation given to me by security team:

Try to avoid configuring insecure CSP header. Do not set ''unsafe-inline' in any directive of CSP header. As a security best practice, this value should not be included, if possible.

You can use a nonce or a hash to remove 'unsafe-eval' and 'unsafe-inline' from CSP.

[legrego]

Hi @taha2009, thanks for opening this issue. We really appreciate you taking the time to document your findings here.

We are also very interested in removing unsafe-eval from our Content Security Policy, but we aren't yet in a position to do so. Kibana relies on a number of third-party dependencies which in turn require unsafe-eval in order to function.

Our plan is to remove/replace as many of these dependencies as we can, but it realistically won't be possible to eliminate them all in the near-term. Our plan is to investigate a "sandboxed" approach for these "unsafe" code paths (#27047).

I think the scope of #27047 covers what you're asking here, as the end-result would be the elimination of the unsafe-eval declaration from our CSP. Given this, I will close this as a duplicate, and I encourage you to follow #27047 instead.