configurable CSP owned by security team

elastic · Jan 31, 2019 · 1cbf478 · 1cbf478
1 parent d993433
commit 1cbf478
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 11 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -14,6 +14,7 @@
 # Security
 /x-pack/plugins/security/  @elastic/kibana-security
 /x-pack/plugins/spaces/  @elastic/kibana-security
+/src/server/csp/ @elastic/kibana-security
 
 # Design
 **/*.scss  @elastic/kibana-design

diff --git a/src/server/config/schema.js b/src/server/config/schema.js
@@ -29,6 +29,7 @@ import {
 import {
   getData
 } from '../path';
+import { DEFAULT_CSP_RULES, DEFAULT_CSP_LEGACY_BROWSER_RULES } from '../csp';
 
 const tilemapSchema = Joi.object({
   url: Joi.string(),
@@ -94,6 +95,11 @@ export default () => Joi.object({
     exclusive: Joi.boolean().default(false)
   }).default(),
 
+  csp: Joi.object({
+    rules: Joi.array().items(Joi.string()).default(DEFAULT_CSP_RULES),
+    legacyBrowserRules: Joi.array().items(Joi.string()).default(DEFAULT_CSP_LEGACY_BROWSER_RULES),
+  }).default(),
+
   cpu: Joi.object({
     cgroup: Joi.object({
       path: Joi.object({

diff --git a/src/ui/ui_render/ui_render_mixin.js b/src/ui/ui_render/ui_render_mixin.js
@@ -17,8 +17,7 @@
  * under the License.
  */
 
-import { createHash, randomBytes } from 'crypto';
-import { promisify } from 'util';
+import { createHash } from 'crypto';
 import { props, reduce as reduceAsync } from 'bluebird';
 import Boom from 'boom';
 import { resolve } from 'path';
@@ -27,8 +26,7 @@ import { i18n } from '@kbn/i18n';
 import { AppBootstrap } from './bootstrap';
 import { mergeVariables } from './lib';
 import { fromRoot } from '../../utils';
-
-const randomBytesAsync = promisify(randomBytes);
+import { generateCSPNonce, createCSPRuleString } from '../../server/csp';
 
 export function uiRenderMixin(kbnServer, server, config) {
   function replaceInjectedVars(request, injectedVars) {
@@ -215,7 +213,7 @@ export function uiRenderMixin(kbnServer, server, config) {
       injectedVarsOverrides
     });
 
-    const nonce = (await randomBytesAsync(12)).toString('base64');
+    const nonce = await generateCSPNonce();
 
     const response = h.view('ui_app', {
       nonce,
@@ -245,13 +243,11 @@ export function uiRenderMixin(kbnServer, server, config) {
       },
     });
 
-    const csp = [
-      `script-src 'unsafe-eval' 'nonce-${nonce}'`,
-      'worker-src blob:',
-      'child-src blob:',
-    ];
+    const csp = createCSPRuleString(config.get('csp.rules'), nonce);
+    response.header('content-security-policy', csp);
 
-    response.header('content-security-policy', csp.join(';'));
+    const legacyCsp = createCSPRuleString(config.get('csp.legacyBrowserRules'), nonce);
+    response.header('x-content-security-policy', legacyCsp);
 
     return response;
   }