Remove legacy CSP configuration calls, migrate to platform properties

src/core/server/csp/csp_config.ts

@@ -29,25 +29,25 @@ export class CspConfig {
   /**
    * The CSP rules used for Kibana.
    */
-  public rules: string[];
+  public readonly rules: string[];
 
   /**
    * Specify whether browsers that do not support CSP should be
    * able to use Kibana. Use `true` to block and `false` to allow.
    */
-  public strict: boolean;
+  public readonly strict: boolean;
 
   /**
    * Specify whether users with legacy browsers should be warned
    * about their lack of Kibana security compliance.
    */
-  public warnLegacyBrowsers: boolean;
+  public readonly warnLegacyBrowsers: boolean;
 
   /**
    * The CSP rules in a formatted directives string for use
    * in a `Content-Security-Policy` header.
    */
-  public header!: string;
+  public readonly header: string;
 
   /**
    * Returns the default CSP configuration when passed with no config
@@ -58,9 +58,6 @@ export class CspConfig {
     this.rules = source.rules;
     this.strict = source.strict;
     this.warnLegacyBrowsers = source.warnLegacyBrowsers;
-    Object.defineProperty(this, 'header', {
-      enumerable: true,
-      get: () => this.rules.join('; '),
-    });
+    this.header = source.rules.join('; ');
   }
 }

src/legacy/core_plugins/kibana/server/lib/csp_usage_collector/csp_collector.ts

@@ -26,16 +26,17 @@ export function createCspCollector(server: Server) {
     type: 'csp',
     isReady: () => true,
     async fetch() {
-      const config = server.config();
-      const { header } = new CspConfig();
+      const { strict, warnLegacyBrowsers, header } = server.newPlatform.setup.core.http.csp;
+      // This is used to get the default CSP header string.
+      const { header: defaultCspHeader } = new CspConfig();
 
       return {
-        strict: config.get('csp.strict'),
-        warnLegacyBrowsers: config.get('csp.warnLegacyBrowsers'),
+        strict,
+        warnLegacyBrowsers,
         // It's important that we do not send the value of csp.header here as it
         // can be customized with values that can be identifiable to given
         // installs, such as URLs
-        rulesChangedFromDefault: header !== config.get('csp.header'),
+        rulesChangedFromDefault: header !== defaultCspHeader,
       };
     },
   };

src/legacy/ui/ui_render/ui_render_mixin.js

@@ -245,11 +245,10 @@ export function uiRenderMixin(kbnServer, server, config) {
         return { id, plugin, config: {} };
       }
     }));
-
-    console.log(config.get('csp'));
+    const { strict, warnLegacyBrowsers, header } = kbnServer.newPlatform.setup.core.http.csp;
 
     const response = h.view('ui_app', {
-      strictCsp: config.get('csp.strict'),
+      strictCsp: strict,
       uiPublicUrl: `${basePath}/ui`,
       bootstrapScriptUrl: `${basePath}/bundles/app/${app.getId()}/bootstrap.js`,
       i18n: (id, options) => i18n.translate(id, options),
@@ -267,7 +266,7 @@ export function uiRenderMixin(kbnServer, server, config) {
           translationsUrl: `${basePath}/translations/${i18n.getLocale()}.json`,
         },
         csp: {
-          warnLegacyBrowsers: config.get('csp.warnLegacyBrowsers'),
+          warnLegacyBrowsers,
         },
         vars: await replaceInjectedVars(
           request,
@@ -284,7 +283,7 @@ export function uiRenderMixin(kbnServer, server, config) {
       },
     });
 
-    response.header('content-security-policy', config.get('csp.header'));
+    response.header('content-security-policy', header);
 
     return response;
   }

x-pack/legacy/plugins/security/index.js

@@ -126,7 +126,7 @@ export const security = (kibana) => new kibana.Plugin({
       isSystemAPIRequest: server.plugins.kibana.systemApi.isSystemApiRequest.bind(
         server.plugins.kibana.systemApi
       ),
-      cspRules: config.get('csp.header'),
+      cspRules: server.newPlatform.setup.core.http.csp.header,
     });
 
     // Legacy xPack Info endpoint returns whatever we return in a callback for `registerLicenseCheckResultsGenerator`