Get rid of CSP check

[mshustov]

Kibana doesn't support IE11 from the v7.9 release. We can remove the browser supporting CSP check

kibana/src/core/server/rendering/views/template.tsx

Lines 155 to 161 in cd952b2

	{`
	// Since this is an unsafe inline script, this code will not run
	// in browsers that support content security policy(CSP). This is
	// intentional as we check for the existence of __kbnCspNotEnforced__ in
	// bootstrap.
	window.__kbnCspNotEnforced__ = true;
	`}

as all other browsers from Supported Browsers matrix implement CSP https://www.elastic.co/support/matrix#matrix_browsers

Note: Kibana might continue working accidentally as long as IE11 listed in compilation targets. We should wait until it's removed from the list #42279

[elasticmachine]

Pinging @elastic/kibana-platform (Team:Platform)

[epixa]

I don’t recommend removing this check. An XSS vulnerability doesn’t just put that user at risk, it can give an attacker access (directly or indirectly) to kibana itself. So Kibana may be exploited if any user is impacted by XSS.

This check ensures people with broken CSP support are unable to load Kibana at all. That does include IE11, but it also includes older versions of existing browsers, or any future version of a browser that regresses in its CSP support, like Microsoft Edge did at some point.

[epixa]

@elastic/kibana-security fyi

[legrego]

Thanks for the ping @epixa. I agree with Court here: in addition to a browser regression, we've also seen enterprises configure group policies which instruct otherwise compliant browsers to use a different (often incompatible) CSP, ignoring the policy that Kibana itself sends.