-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unsafe Content-Security-Policy header #76838
Comments
Hello @taha2009 - is |
Thanks @monfera for your response. I did set csp.strict to true but that does not seem to change csp policy. I believe csp.rules is used to change default csp policy. As i mentioned in the original post, removing unsafe-eval using this property causes UI to crash |
Thanks for the extra info. I didn't interpret
as
I thought it refers to no configurability via the UI. Could you please add details on how it crashes? Eg. screenshot and console log in Dev Tools |
Pinging @elastic/kibana-security (Team:Security) |
Following is the recommendation given to me by security team: Try to avoid configuring insecure CSP header. Do not set ''unsafe-inline' in any directive of CSP header. As a security best practice, this value should not be included, if possible. You can use a nonce or a hash to remove 'unsafe-eval' and 'unsafe-inline' from CSP. |
Hi @taha2009, thanks for opening this issue. We really appreciate you taking the time to document your findings here. We are also very interested in removing Our plan is to remove/replace as many of these dependencies as we can, but it realistically won't be possible to eliminate them all in the near-term. Our plan is to investigate a "sandboxed" approach for these "unsafe" code paths (#27047). I think the scope of #27047 covers what you're asking here, as the end-result would be the elimination of the |
Kibana version: 7.7.0
Elasticsearch version: 7.7.0
Server OS version: CentOS
Browser version: Chrome 85.0.4183.83
Browser OS version: Windows 10
Original install method (e.g. download page, yum, from source, etc.): Docker image
Describe the bug:
Currentry the content security policy for kibana is following : "content-security-policy: script-src 'unsafe-eval' 'self'; worker-src blob: 'self'; style-src 'unsafe-inline' 'self'"
The CSP header of the Kibana includes an unsafe CSP parameter for "script-src" i.e ''unsafe-inline' 'unsafe-eval'.
The "script-src" parameter is set to "unsafe-inline", 'unsafe-eval' which allows injection of the user passed values, which can be misused for Cross-Site Scripting attacks. As a best practice, this value should not be included as a "script-src" parameter, if possible.
We tried to simply remove unsafe-eval but it seems UI does not support it yet.
Steps to reproduce:
Expected behavior:
Try to avoid configuring insecure CSP header. Do not set ''unsafe-inline' in any directive of CSP header. As a security best practice, this value should not be included, if possible.
You can use a nonce or a hash to remove 'unsafe-eval' and 'unsafe-inline' from CSP.
Any additional context:
NA
The text was updated successfully, but these errors were encountered: