You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I don’t recommend removing this check. An XSS vulnerability doesn’t just put that user at risk, it can give an attacker access (directly or indirectly) to kibana itself. So Kibana may be exploited if any user is impacted by XSS.
This check ensures people with broken CSP support are unable to load Kibana at all. That does include IE11, but it also includes older versions of existing browsers, or any future version of a browser that regresses in its CSP support, like Microsoft Edge did at some point.
Thanks for the ping @epixa. I agree with Court here: in addition to a browser regression, we've also seen enterprises configure group policies which instruct otherwise compliant browsers to use a different (often incompatible) CSP, ignoring the policy that Kibana itself sends.
Kibana doesn't support IE11 from the v7.9 release. We can remove the browser supporting CSP check
kibana/src/core/server/rendering/views/template.tsx
Lines 155 to 161 in cd952b2
Supported Browsers
matrix implement CSP https://www.elastic.co/support/matrix#matrix_browsersNote: Kibana might continue working accidentally as long as IE11 listed in compilation targets. We should wait until it's removed from the list #42279
The text was updated successfully, but these errors were encountered: