Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content security policy strict mode #29856

Merged
merged 7 commits into from
Feb 4, 2019
Merged

Content security policy strict mode #29856

merged 7 commits into from
Feb 4, 2019

Conversation

epixa
Copy link
Contributor

@epixa epixa commented Feb 1, 2019
edited
Loading

A content security policy is a great addition to the protections built
into Kibana, but it's not effective in older browsers (like IE11) that
do not enforce the policy.

When CSP strict mode is enabled, right before the Kibana app is
bootstrapped, a basic safety check is performed to see if "naked" inline
scripts are rejected. If inline scripting is allowed by the browser,
then an error message is presented to the user and Kibana never attempts
to bootstrap.

With this change, if you set csp.strict = true in your kibana.yml and try
to load Kibana in IE11, you'll get an error message.

Follow up to #29545

@epixa epixa added v7.0.0 Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! enhancement New value added to drive a business result v6.7.0 labels Feb 1, 2019
@epixa epixa self-assigned this Feb 1, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security

@elasticmachine

This comment has been minimized.

Sign in to view
@legrego
Copy link
Member

legrego commented Feb 1, 2019

Tested in IE11 on a windows 10 machine. I can confirm that it prevents Kibana from loading with csp.strict: true, but it's not rendering the error message, or anything for that matter.

I don't see any console errors, and I did see that it managed to set both window. __kbnCspNotEnforced__: true and window.__kbnStrictCsp: true

image

@epixa
Copy link
Contributor Author

epixa commented Feb 1, 2019

@legrego I think it's an issue with my toggle logic. Specifically I set display: flex and I bet there's some sort of override for IE that I should be applying instead. It's possible this will be addressed with the design work @snide will push. I'll hold off until he's done with that before I mess with it.

@elasticmachine

This comment has been minimized.

Sign in to view
@epixa
csp: optional strict mode to block insecure browsers
e413f05 
A content security policy is a great addition to the protections built
into Kibana, but it's not effective in older browsers (like IE11) that
do not enforce the policy.

When CSP strict mode is enabled, right before the Kibana app is
bootstrapped, a basic safety check is performed to see if "naked" inline
scripts are rejected. If inline scripting is allowed by the browser,
then an error message is presented to the user and Kibana never attempts
to bootstrap.
@epixa epixa added release_note:enhancement and removed enhancement New value added to drive a business result labels Feb 1, 2019
@elasticmachine

This comment has been minimized.

Sign in to view
@elasticmachine
Copy link
Contributor

💚 Build Succeeded

@epixa epixa added the review label Feb 2, 2019
@epixa epixa requested a review from a team February 2, 2019 03:00
@epixa epixa removed their assignment Feb 2, 2019
@epixa
Copy link
Contributor Author

epixa commented Feb 2, 2019

This should be good to go.

snide
snide approved these changes Feb 2, 2019
View reviewed changes
Copy link
Contributor

@snide snide left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested this for functionality and did a brief code review of what I could understand. In IE with the setting enabled it displays the warning. For Chrome, it loads fine and gets passed auth with no problems.

image

@elasticmachine

This comment has been minimized.

Sign in to view
legrego
legrego approved these changes Feb 2, 2019
View reviewed changes
Copy link
Member

@legrego legrego left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - tested in chrome, both with and without CSP enabled (via https://chrome.google.com/webstore/detail/disable-content-security/ieelmcmcagommplceebfedjlakkhpden?hl=en). Also tested on IE11, works great! No issues displaying the error message either.

At one point, you had mentioned adding a console log letting folks know that a single error in the console is expected when strict mode is enabled. Is that something you still want to do?

@epixa
Copy link
Contributor Author

epixa commented Feb 3, 2019

@legrego I pushed some updates for your feedback. Can you give it a whirl again, particularly in IE?

@elasticmachine
Copy link
Contributor

💚 Build Succeeded

@legrego
Copy link
Member

legrego commented Feb 4, 2019

Thanks @epixa -- Tested latest round in IE and chrome; looks great!

@epixa epixa added the Feature:Security/CSP Platform Security - Content Security Policy label Feb 4, 2019
@epixa epixa merged commit 475dd56 into elastic:master Feb 4, 2019
@epixa epixa deleted the csp2-strictmode branch February 4, 2019 14:09
@epixa epixa mentioned this pull request Feb 4, 2019
Merged
@epixa epixa mentioned this pull request Feb 11, 2019
Merged
epixa added a commit that referenced this pull request Feb 11, 2019
@epixa
Content security policy strict mode (#29856) (#30700)
652f4bb 
A content security policy is a great addition to the protections built
into Kibana, but it's not effective in older browsers (like IE11) that
do not enforce the policy.

When CSP strict mode is enabled, right before the Kibana app is
bootstrapped, a basic safety check is performed to see if "naked" inline
scripts are rejected. If inline scripting is allowed by the browser,
then an error message is presented to the user and Kibana never attempts
to bootstrap.
@jinmu03 jinmu03 mentioned this pull request Feb 13, 2019
Merged
@alexfrancoeur alexfrancoeur mentioned this pull request Feb 15, 2019
Closed
@epixa epixa mentioned this pull request Jun 18, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@snide snide snide approved these changes

@legrego legrego legrego approved these changes

Assignees
No one assigned
Labels
Feature:Security/CSP Platform Security - Content Security Policy release_note:enhancement review Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v6.7.0 v7.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@epixa @elasticmachine @legrego @snide