[Maps] Use static worker with mapbox-gl#40667
[Maps] Use static worker with mapbox-gl#40667thomasneirynck wants to merge 1 commit intoelastic:masterfrom
Conversation
src/legacy/server/csp/index.ts
Outdated
| const randomBytesAsync = promisify(randomBytes); | ||
|
|
||
| export const DEFAULT_CSP_RULES = Object.freeze([ | ||
| `script-src 'unsafe-eval' 'nonce-{nonce}'`, |
There was a problem hiding this comment.
We can remove the worker-src blob: and child-src blob: directives because of this change.
The script-src directive, as is, will no longer work as the mapbox-gl code is now trying to load an external script. We could modify it and add strict-dynamic (?)
e.g.:
export const DEFAULT_CSP_RULES = Object.freeze([
`script-src 'unsafe-eval' 'nonce-{nonce}' 'strict-dynamic`
]);
This is the suggested work-around as discussed here for workers and nonce-based policies w3c/webappsec-csp#375.
Maybe we should load mapbox-gl in a separate script tag (and not as a vendors-bundle), and only enable strict-dynamic for mapbox-gl?
There was a problem hiding this comment.
I assume we don't have any options for specifying the nonce attribute on the script tag which is added to the DOM?
There was a problem hiding this comment.
I assume we don't have any options for specifying the nonce attribute on the script tag which is added to the DOM?
Correct. We don't have control over how the worker-script loaded by mapbox-gl-csp.js, which in turn loads content with importScripts.
If we want to preserve a custom script-src directive with nonce based security (do we want this in the long run (?)), maybe we could modify how we load scripts and provided nonces on all <script> tags (same as now), but load mapbox-gl-csp.js in a separate script-tag (different as now, as it is packaged with vendors.dll.js now). Only for that mapbox-gl-csp.js script, we could enable strict-dynamic, because it's I think the only script which loads child-scripts (ie. the worker).
^ just a thought. Not 100% sure about the impact of adding strict-dynamic (or the removal of script-src directive completely for that matter).
There was a problem hiding this comment.
If we want to preserve a custom script-src directive with nonce based security (do we want this in the long run (?))
At this time, that's the intent. There's potential for us to switch to script-src 'unsafe-inline' 'self' but it's not something we have a plan to do.
Only for that mapbox-gl-csp.js script, we could enable strict-dynamic, because it's I think the only script which loads child-scripts (ie. the worker).
I believe that we have to add strict-dynamic as the CSP policy which applies to all scripts, I don't believe there's a way to scope this to only a single script tag.
thomasneirynck
added
chore
Team:Geo
|
Pinging @elastic/kibana-gis |
thomasneirynck
added
the
release_note:skip
💔 Build Failed |
|
replacing with #48449 |
4 participants
DO NOT MERGE
Closes #33651.
This enables us to remove the
worker-srcandchild-srcdirectives.The existing script-src directive no longer works, since the mapbox-gl code is now loading an external worker.
Not sure what the right way forward is. See inline comment here for details https://github.com/elastic/kibana/pull/40667/files#r301719668