Move CSP config default values to csp module (#41676)

This gives us a little more control over the default values of these configurations to help ensure (though not guarantee) that any changes here can be audited by the security team.
elastic · Jul 22, 2019 · a177b86 · a177b86
1 parent dd63e73
commit a177b86
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 4 deletions.
diff --git a/src/legacy/server/config/schema.js b/src/legacy/server/config/schema.js
@@ -29,7 +29,11 @@ import {
 import {
   getData
 } from '../path';
-import { DEFAULT_CSP_RULES } from '../csp';
+import {
+  DEFAULT_CSP_RULES,
+  DEFAULT_CSP_STRICT,
+  DEFAULT_CSP_WARN_LEGACY_BROWSERS,
+} from '../csp';
 
 export default () => Joi.object({
   pkg: Joi.object({
@@ -56,8 +60,8 @@ export default () => Joi.object({
 
   csp: Joi.object({
     rules: Joi.array().items(Joi.string()).default(DEFAULT_CSP_RULES),
-    strict: Joi.boolean().default(false),
-    warnLegacyBrowsers: Joi.boolean().default(true),
+    strict: Joi.boolean().default(DEFAULT_CSP_STRICT),
+    warnLegacyBrowsers: Joi.boolean().default(DEFAULT_CSP_WARN_LEGACY_BROWSERS),
   }).default(),
 
   cpu: Joi.object({

diff --git a/src/legacy/server/csp/index.test.ts b/src/legacy/server/csp/index.test.ts
@@ -17,7 +17,13 @@
  * under the License.
  */
 
-import { createCSPRuleString, DEFAULT_CSP_RULES, generateCSPNonce } from './';
+import {
+  createCSPRuleString,
+  generateCSPNonce,
+  DEFAULT_CSP_RULES,
+  DEFAULT_CSP_STRICT,
+  DEFAULT_CSP_WARN_LEGACY_BROWSERS,
+} from './';
 
 // CSP rules aren't strictly additive, so any change can potentially expand or
 // restrict the policy in a way we consider a breaking change. For that reason,
@@ -41,6 +47,14 @@ Array [
 `);
 });
 
+test('CSP strict mode defaults to disabled', () => {
+  expect(DEFAULT_CSP_STRICT).toBe(false);
+});
+
+test('CSP legacy browser warning defaults to enabled', () => {
+  expect(DEFAULT_CSP_WARN_LEGACY_BROWSERS).toBe(true);
+});
+
 test('generateCSPNonce() creates a 16 character string', async () => {
   const nonce = await generateCSPNonce();
 

diff --git a/src/legacy/server/csp/index.ts b/src/legacy/server/csp/index.ts
@@ -28,6 +28,10 @@ export const DEFAULT_CSP_RULES = Object.freeze([
   'child-src blob:',
 ]);
 
+export const DEFAULT_CSP_STRICT = false;
+
+export const DEFAULT_CSP_WARN_LEGACY_BROWSERS = true;
+
 export async function generateCSPNonce() {
   return (await randomBytesAsync(12)).toString('base64');
 }