Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid use of deprecated window.Controllers for UA detection #35023

Closed
Kolano opened this issue Apr 12, 2019 · 3 comments
Closed

Avoid use of deprecated window.Controllers for UA detection #35023

Kolano opened this issue Apr 12, 2019 · 3 comments
Labels
stale Used to mark issues that were closed for being stale Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc triage_needed

Comments

@Kolano
Copy link

Kolano commented Apr 12, 2019

Kibana version:
7.0.0

Elasticsearch version:
7.0.0

Server OS version:
Ubuntu 18.10

Browser version:
Firefox 66.0.2 (64-bit)

Browser OS version:
Windows 10

Original install method (e.g. download page, yum, from source, etc.):
apt-get

Describe the bug:
A few deprecated code / security warnings output with every page load (though it seems at least one is expected)...

Content Security Policy: Directive ‘child-src’ has been deprecated. Please use directive ‘worker-src’ to control workers, or directive ‘frame-src’ to control frames respectively.

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
^ A single error about an inline script not firing due to content security policy is expected!

window.controllers/Controllers is deprecated. Do not use it for UA detection.

Steps to reproduce:

  1. Load almost any Kibana page

Expected behavior:
Pages to load without outputting warnings / security errors

Errors in browser console (if relevant):
Indicated above
@monfera monfera added Feature:Security/CSP Platform Security - Content Security Policy Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! labels Apr 15, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security

@legrego
Copy link
Member

legrego commented Apr 15, 2019

@Kolano thanks for the report.

In order to support Safari, we are required to use worker-src instead of frame-src (See PR review here where we discuss this). If you do not need to support Safari, then you are free to configure your own CSP rules via csp.rules configuration option in your kibana.yml.

I am going to rename this issue to focus on the window.Controllers warning, since CSP is functioning as designed.

@legrego legrego changed the title JS Deprecated Code Warnings Avoid use of deprecated window.Controllers for UA detection Apr 15, 2019
@legrego legrego added Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc triage_needed and removed Feature:Security/CSP Platform Security - Content Security Policy Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! labels Apr 15, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-platform

@joshdover joshdover added the stale Used to mark issues that were closed for being stale label Jan 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale Used to mark issues that were closed for being stale Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc triage_needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@monfera @joshdover @legrego @Kolano @elasticmachine