-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content security policy strict mode #29856
Conversation
Pinging @elastic/kibana-security |
This comment has been minimized.
This comment has been minimized.
Tested in IE11 on a windows 10 machine. I can confirm that it prevents Kibana from loading with I don't see any console errors, and I did see that it managed to set both |
@legrego I think it's an issue with my toggle logic. Specifically I set |
This comment has been minimized.
This comment has been minimized.
A content security policy is a great addition to the protections built into Kibana, but it's not effective in older browsers (like IE11) that do not enforce the policy. When CSP strict mode is enabled, right before the Kibana app is bootstrapped, a basic safety check is performed to see if "naked" inline scripts are rejected. If inline scripting is allowed by the browser, then an error message is presented to the user and Kibana never attempts to bootstrap.
aebf5ea
to
e413f05
Compare
This comment has been minimized.
This comment has been minimized.
💚 Build Succeeded |
This should be good to go. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - tested in chrome, both with and without CSP enabled (via https://chrome.google.com/webstore/detail/disable-content-security/ieelmcmcagommplceebfedjlakkhpden?hl=en). Also tested on IE11, works great! No issues displaying the error message either.
At one point, you had mentioned adding a console log letting folks know that a single error in the console is expected when strict mode is enabled. Is that something you still want to do?
@legrego I pushed some updates for your feedback. Can you give it a whirl again, particularly in IE? |
💚 Build Succeeded |
Thanks @epixa -- Tested latest round in IE and chrome; looks great! |
A content security policy is a great addition to the protections built into Kibana, but it's not effective in older browsers (like IE11) that do not enforce the policy. When CSP strict mode is enabled, right before the Kibana app is bootstrapped, a basic safety check is performed to see if "naked" inline scripts are rejected. If inline scripting is allowed by the browser, then an error message is presented to the user and Kibana never attempts to bootstrap.
A content security policy is a great addition to the protections built
into Kibana, but it's not effective in older browsers (like IE11) that
do not enforce the policy.
When CSP strict mode is enabled, right before the Kibana app is
bootstrapped, a basic safety check is performed to see if "naked" inline
scripts are rejected. If inline scripting is allowed by the browser,
then an error message is presented to the user and Kibana never attempts
to bootstrap.
With this change, if you set
csp.strict = true
in your kibana.yml and tryto load Kibana in IE11, you'll get an error message.
Follow up to #29545