Replace CSP 'nonce-<base64>' directive with 'self' directive by joshdover · Pull Request #43553 · elastic/kibana

joshdover · 2019-08-19T22:06:07Z

Summary

This replaces our usage of the 'nonce-{nonce}' directive with 'self' which will allow us to support dynamic imports more easily.

This change is BWC by adding fixes for any invalid rules in the csp.rules config option:

If any CSP rules contain the {nonce} template, that source will be removed and a warning will be logged.
If a CSP rule does not contain 'self', it will be added and a warning will be logged.

Dev Docs

Kibana no longer supports the {nonce} notation in the csp.rules configuration. These will be replaced with the 'self' source directive automatically and log a deprecation warning. The {nonce} notation must be removed before upgrading to 8.0.

Checklist

Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR.

This was checked for cross-browser compatibility, including a check against IE11
Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
Documentation was added for features that require explanation or tutorials
Unit or functional tests were updated or added to match the most common scenarios
This was checked for keyboard-only and screenreader accessibility

For maintainers

This was checked for breaking API changes and was labeled appropriately
This includes a feature addition or change that requires a release note and was labeled appropriately

elasticmachine · 2019-08-19T22:06:10Z

Pinging @elastic/kibana-security

kobelb · 2019-08-19T22:13:15Z

ACK: reviewing now

src/legacy/server/config/transform_deprecations.js

kobelb · 2019-08-19T22:41:03Z

src/legacy/server/config/transform_deprecations.js

If someone happened to set the following, we'll likely be breaking this install csp.rules: ["default-src 'unsafe-eval' 'nonce-{nonce}'"]. What if instead whenever we removed a nonce source, we added the 'self' source?

That should work. I think we should still also add it if script-src or style-src don't have self or nonce.

This seems reasonable to me.

src/legacy/server/csp/index.test.ts

test/api_integration/apis/general/csp.js

src/legacy/ui/ui_render/views/ui_app.pug

elasticmachine · 2019-08-19T23:05:34Z

💔 Build Failed

continuous-integration/kibana-ci/pull-request

elasticmachine · 2019-08-20T16:53:31Z

💔 Build Failed

continuous-integration/kibana-ci/pull-request

elasticmachine · 2019-08-20T21:18:19Z

💚 Build Succeeded

continuous-integration/kibana-ci/pull-request

src/legacy/server/config/transform_deprecations.test.js

elasticmachine · 2019-08-21T15:49:10Z

💚 Build Succeeded

continuous-integration/kibana-ci/pull-request

mistic

In the operations side it looks good to me! 👍

…#43553)

elasticmachine · 2019-08-21T20:18:05Z

💚 Build Succeeded

continuous-integration/kibana-ci/pull-request

azasypkin · 2019-08-30T10:00:56Z

x-pack/legacy/plugins/security/server/routes/api/v1/authenticate.js

        <!DOCTYPE html>
        <title>Kibana OpenID Connect Login</title>
-        <script nonce="${nonce}">
+        <script>


question: hmmm @joshdover @kobelb aren't we effectively disabling execution of this script here assuming our default CSP rule is script-src 'unsafe-eval' 'self'; now?

Opened an issue to discuss: #44668

joshdover added Team:Security Platform Security: Auth, Users, Roles, Spaces, Audit Logging, etc t// release_note:plugin_api_changes Contains a Plugin API changes section for the breaking plugin API changes section. Feature:Security/CSP Platform Security - Content Security Policy labels Aug 19, 2019

joshdover requested review from epixa and kobelb August 19, 2019 22:06

joshdover requested review from a team as code owners August 19, 2019 22:06

joshdover added the v7.4.0 label Aug 19, 2019

kobelb reviewed Aug 19, 2019

View reviewed changes

joshdover added 2 commits August 20, 2019 10:56

Replace CSP 'nonce-<base64>' directive with 'self' directive

0f7828d

Address PR comments

4c1f14a

joshdover force-pushed the csp-nonce-to-self branch from c462845 to 4c1f14a Compare August 20, 2019 15:56

Fix OpenID test

0edbc68

joshdover requested a review from kobelb August 20, 2019 22:30

kobelb reviewed Aug 20, 2019

View reviewed changes

src/legacy/server/config/transform_deprecations.test.js Show resolved Hide resolved

Add test without self

4ba7810

kobelb approved these changes Aug 21, 2019

View reviewed changes

joshdover requested a review from mistic August 21, 2019 15:36

mistic approved these changes Aug 21, 2019

View reviewed changes

joshdover merged commit 5071c74 into elastic:master Aug 21, 2019

joshdover deleted the csp-nonce-to-self branch August 21, 2019 19:11

joshdover mentioned this pull request Aug 21, 2019

[7.x] Replace CSP 'nonce-<base64>' directive with 'self' directive (#43553) #43708

Merged

joshdover added a commit to joshdover/kibana that referenced this pull request Aug 21, 2019

Replace CSP 'nonce-<base64>' directive with 'self' directive (elastic…

7e39506

…#43553)

joshdover added a commit that referenced this pull request Aug 21, 2019

Replace CSP 'nonce-<base64>' directive with 'self' directive (#43553)

1331456

azasypkin reviewed Aug 30, 2019

View reviewed changes

joshdover mentioned this pull request Sep 3, 2019

CSP breaks OIDC authentication flow #44668

Closed

azasypkin mentioned this pull request Sep 5, 2019

Use external script for the OIDC Implicit flow handler page. #44866

Merged

TinaHeiligers mentioned this pull request Oct 8, 2021

[8.0] Remove support for configuring csp.rules #114379

Merged

7 tasks

Conversation

joshdover commented Aug 19, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Dev Docs

Checklist

For maintainers

Uh oh!

elasticmachine commented Aug 19, 2019

Uh oh!

kobelb commented Aug 19, 2019

Uh oh!

Uh oh!

kobelb Aug 19, 2019

Choose a reason for hiding this comment

Uh oh!

joshdover Aug 20, 2019

Choose a reason for hiding this comment

Uh oh!

kobelb Aug 20, 2019

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

elasticmachine commented Aug 19, 2019

💔 Build Failed

Uh oh!

elasticmachine commented Aug 20, 2019

💔 Build Failed

Uh oh!

elasticmachine commented Aug 20, 2019

💚 Build Succeeded

Uh oh!

Uh oh!

elasticmachine commented Aug 21, 2019

💚 Build Succeeded

Uh oh!

mistic left a comment

Choose a reason for hiding this comment

Uh oh!

elasticmachine commented Aug 21, 2019

💚 Build Succeeded

Uh oh!

azasypkin Aug 30, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

joshdover Sep 3, 2019

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

joshdover commented Aug 19, 2019 •

edited

Loading

azasypkin Aug 30, 2019 •

edited

Loading