-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move CSP options to new platform #52698
Conversation
Pinging @elastic/kibana-platform (Team:Platform) |
c1b20ce
to
02d335a
Compare
x-pack/legacy/plugins/security/server/routes/api/v1/authenticate.js
Outdated
Show resolved
Hide resolved
002df22
to
255a723
Compare
08c6fb6
to
7ab6d99
Compare
fe8af81
to
2d3d745
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the last iteration I looked at, directives
was not part of the config, which I thought made sense. This revision has it back in the config, which is redundant with the csp.rules
config option.
b78c450
to
b81a6f8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.ts
Show resolved
Hide resolved
`style-src 'unsafe-inline' 'self'`, | ||
], | ||
}), | ||
strict: schema.boolean({ defaultValue: true }), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll have to be careful when backporting this, as the default in 7.x is false
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Platform changes LGTM, I'll defer to @elastic/kibana-security for the changes to their plugin.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM on green CI
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
// TODO: Move this to server.csp using config deprecations | ||
// ? https://github.com/elastic/kibana/pull/52251 | ||
path: 'csp', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Regarding renaming the csp
config key, I will handle this in another PR and make sure we reach consensus between the Platform and Security teams =)
Thanks for all the great reviews! |
* Move CSP options to new platform * Expose SharedGlobalConfig from root * Derive CSP options from config * Consolidate CSP configuration with HTTP config * Fix outstanding config renames * Remove legacy CSP configuration calls, migrate to platform properties * Revise docs * Fix test from type change * Expose ICspConfig, consolidate and simplify CSP defaults access * Rebase and update docs * Remove legacy API from route definition params, review nits * Clean up config path usages for consistency * Regenerate docs
* Move CSP options to new platform (#52698) * Move CSP options to new platform * Expose SharedGlobalConfig from root * Derive CSP options from config * Consolidate CSP configuration with HTTP config * Fix outstanding config renames * Remove legacy CSP configuration calls, migrate to platform properties * Revise docs * Fix test from type change * Expose ICspConfig, consolidate and simplify CSP defaults access * Rebase and update docs * Remove legacy API from route definition params, review nits * Clean up config path usages for consistency * Regenerate docs * Test correct default value of csp.strict in 7.x
Summary
Move CSP options from legacy into the new platform. This blocks being able to add the new rendering service in #52161.
Checklist
Use
strikethroughsto remove checklist items you don't feel are applicable to this PR.Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n supportThis was checked for keyboard-only and screenreader accessibilityFor maintainers
Dev Docs
The default options used for managing Kibana's Content Security Policy have been moved into core for the new platform. Relevant items exposed from
src/core/server
include:CspConfig
: TypeScript class for generating CSP configuration. Will generate default configuration for any properties not specified in initialization.CspConfig.DEFAULT
: Default CSP configuration.ICspConfig
: Interface representing CSP configuration.