-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Plugins should be able to inject new CSP directives #101579
Comments
Pinging @elastic/kibana-core (Team:Core) |
I strongly prefer the more strict approach. I think we should only allow
I don't want to allow plugins to specify their own |
Is there a regexp somewhere for the |
I'm not aware of a ready-to-go regex. I think we'd have to do our best to ensure that the input conforms to the |
This is no longer needed by any internal consumers. Closing, but feel free to reopen if a new use case comes up. |
Kibana ships with a default Content Security Policy (CSP) that is as strict as possible without potentially breaking many operators' usage of Kibana. Recently we've had users ask about configuring Investigating this with @azasypkin for a couple hours, we've discovered that if
This is not an exhaustive list, but it seems that we have enough justification to allow plugins to register specific CSP source values. We'd only want these source values to be applied to loosen the configured CSP to prevent Kibana from breaking, though. For example: we don't want to apply |
This feature is already available, we probably just need to improve it by adding the missing values necessary for Kibana to function. E.g we're not adding kibana/src/core/server/csp/csp_directives.ts Lines 33 to 44 in 44c9611
@jportner do you have an exhaustive list of what should be added? |
It's partially available.
If we were to do this it would probably be prudent to log something on startup, like:
I don't have an exhaustive list yet, I think what I specified in my comment is the majority of it right now. But I haven't fully tested every aspect of Kibana with such a minimally-defined CSP. |
Ok, sorry I misunderstood the exact context / need here.
FWIW, technically that's incorrect. the
May be a bit tricky, because we don't know the order the plugins will be registering additional directives. So we would need to execute this logic as a post-process step, I think:
But that doesn't seem too complex |
We have some internal use cases for plugins that add tracking script tags to Kibana to be able to add additional
script-src
directives to Kibana's CSP so that these tracking scripts can be safely loaded by the client's browser.This depends on #94414 which changes our CSP configuration to be additive rather than an open-ended box. Once that is implemented, we should be able to add a server-side Core API like:
cc @elastic/kibana-security for any suggestions or guardrails you'd like to see on this API
The text was updated successfully, but these errors were encountered: