Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove blob: from our worker-src CSP directive #140388

Closed
wants to merge 1 commit into from
Closed

Remove blob: from our worker-src CSP directive #140388

wants to merge 1 commit into from

Conversation

legrego
Copy link
Member

@legrego legrego commented Sep 9, 2022
edited
Loading

Summary

Removes blob: from our worker-src CSP directive. This was included in our original CSP definition via #29545, and it appears it was only required for use by our geo features (e.g. Maps).

A lot has changed since then, so I'm opening this PR to see if it is viable to remove this directive from our CSP.

Findings

worker-src blob: cannot be removed from our CSP at this time because it is required by the ace editor. We can technically run ace without web worker support, but I suspect this would come with a performance penalty. I am not comfortable making this change at this time given the widespread usage within Kibana.

@legrego legrego added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! Feature:Security/CSP Platform Security - Content Security Policy release_note:enhancement labels Sep 9, 2022
@kibana-ci
Copy link
Collaborator

kibana-ci commented Sep 9, 2022
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #12 / console app console app with comments with invalid request with invalid character should display error marker
  • [job] [logs] FTR Configs #33 / console app console app with comments with invalid request with invalid character should display error marker
  • [job] [logs] FTR Configs #12 / console app console app with comments with invalid request with invalid character should display error marker
  • [job] [logs] FTR Configs #33 / console app console app with comments with invalid request with invalid character should display error marker
  • [job] [logs] FTR Configs #45 / Dev Tools Search Profiler Editor correctly parses triple quotes in JSON
  • [job] [logs] FTR Configs #45 / Dev Tools Search Profiler Editor correctly parses triple quotes in JSON
  • [job] [logs] FTR Configs #32 / discover app discover integration with runtime fields editor allows creation of a new field
  • [job] [logs] FTR Configs #32 / discover app discover integration with runtime fields editor allows creation of a new field
  • [job] [logs] FTR Configs #4 / lens app - group 1 lens ad hoc data view tests should allow adding and using a field
  • [job] [logs] FTR Configs #4 / lens app - group 1 lens ad hoc data view tests should allow adding and using a field
  • [job] [logs] FTR Configs #28 / lens app - group 2 lens runtime fields should be able to add runtime field and use it
  • [job] [logs] FTR Configs #28 / lens app - group 2 lens runtime fields should be able to add runtime field and use it
  • [job] [logs] FTR Configs #6 / lens app - group 3 lens formula should insert single quotes and escape when needed to create valid field name
  • [job] [logs] FTR Configs #6 / lens app - group 3 lens formula should insert single quotes and escape when needed to create valid field name
  • [job] [logs] FTR Configs #1 / machine learning - data visualizer data view management adds new field
  • [job] [logs] FTR Configs #1 / machine learning - data visualizer data view management adds new field
  • [job] [logs] FTR Configs #26 / management runtime fields create runtime field should create runtime field
  • [job] [logs] FTR Configs #26 / management runtime fields create runtime field should create runtime field

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@legrego
Copy link
Member Author

legrego commented Sep 9, 2022

It appears that our code editor (ace) require web workers to function, judging by the test failures.

@legrego legrego mentioned this pull request Sep 9, 2022
Open
9 tasks
@azasypkin
Copy link
Member

It appears that our code editor (ace) require web workers to function, judging by the test failures.

Ugh, thanks for figuring this out!

Here are the relevant log lines, just for the record:

warn browser[SEVERE] http://localhost:5620/56150/bundles/kbn-ui-shared-deps-src/kbn-ui-shared-deps-src.js 0 Refused to create a worker from 'blob:http://localhost:5620/eeb075fc-4626-4ca3-a1fa-00d299ed43e9' because it violates the following Content Security Policy directive: "worker-src 'self'".

debg browser[WARNING] http://localhost:5620/56150/bundles/kbn-ui-shared-deps-src/kbn-ui-shared-deps-src.js 0:1141647 "Could not create web worker(s). Falling back to loading web worker code in main thread, which might cause UI freezes. Please see https://github.com/microsoft/monaco-editor#faq"

debg browser[WARNING] http://localhost:5620/56150/bundles/kbn-ui-shared-deps-src/kbn-ui-shared-deps-src.js 0:1141840 "Failed to construct 'Worker': Access to the script at 'blob:http://localhost:5620/eeb075fc-4626-4ca3-a1fa-00d299ed43e9' is denied by the document's Content Security Policy."

@legrego
Copy link
Member Author

legrego commented Sep 9, 2022

Falling back to loading web worker code in main thread, which might cause UI freezes. Please see https://github.com/microsoft/monaco-editor#faq"

Ah, so it seems that monaco suffers the same fate 😒

@legrego legrego closed this Sep 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Feature:Security/CSP Platform Security - Content Security Policy release_note:enhancement Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@legrego @kibana-ci @azasypkin