From a177b8625820914e29bdf7ec4dc31b4d2e7acad0 Mon Sep 17 00:00:00 2001 From: Court Ewing Date: Mon, 22 Jul 2019 14:07:18 -0400 Subject: [PATCH] Move CSP config default values to csp module (#41676) This gives us a little more control over the default values of these configurations to help ensure (though not guarantee) that any changes here can be audited by the security team. --- src/legacy/server/config/schema.js | 10 +++++++--- src/legacy/server/csp/index.test.ts | 16 +++++++++++++++- src/legacy/server/csp/index.ts | 4 ++++ 3 files changed, 26 insertions(+), 4 deletions(-) diff --git a/src/legacy/server/config/schema.js b/src/legacy/server/config/schema.js index 1b237f2c8557c6..671d0165abe9b9 100644 --- a/src/legacy/server/config/schema.js +++ b/src/legacy/server/config/schema.js @@ -29,7 +29,11 @@ import { import { getData } from '../path'; -import { DEFAULT_CSP_RULES } from '../csp'; +import { + DEFAULT_CSP_RULES, + DEFAULT_CSP_STRICT, + DEFAULT_CSP_WARN_LEGACY_BROWSERS, +} from '../csp'; export default () => Joi.object({ pkg: Joi.object({ @@ -56,8 +60,8 @@ export default () => Joi.object({ csp: Joi.object({ rules: Joi.array().items(Joi.string()).default(DEFAULT_CSP_RULES), - strict: Joi.boolean().default(false), - warnLegacyBrowsers: Joi.boolean().default(true), + strict: Joi.boolean().default(DEFAULT_CSP_STRICT), + warnLegacyBrowsers: Joi.boolean().default(DEFAULT_CSP_WARN_LEGACY_BROWSERS), }).default(), cpu: Joi.object({ diff --git a/src/legacy/server/csp/index.test.ts b/src/legacy/server/csp/index.test.ts index 823501a6433fe3..9586166b65641a 100644 --- a/src/legacy/server/csp/index.test.ts +++ b/src/legacy/server/csp/index.test.ts @@ -17,7 +17,13 @@ * under the License. */ -import { createCSPRuleString, DEFAULT_CSP_RULES, generateCSPNonce } from './'; +import { + createCSPRuleString, + generateCSPNonce, + DEFAULT_CSP_RULES, + DEFAULT_CSP_STRICT, + DEFAULT_CSP_WARN_LEGACY_BROWSERS, +} from './'; // CSP rules aren't strictly additive, so any change can potentially expand or // restrict the policy in a way we consider a breaking change. For that reason, @@ -41,6 +47,14 @@ Array [ `); }); +test('CSP strict mode defaults to disabled', () => { + expect(DEFAULT_CSP_STRICT).toBe(false); +}); + +test('CSP legacy browser warning defaults to enabled', () => { + expect(DEFAULT_CSP_WARN_LEGACY_BROWSERS).toBe(true); +}); + test('generateCSPNonce() creates a 16 character string', async () => { const nonce = await generateCSPNonce(); diff --git a/src/legacy/server/csp/index.ts b/src/legacy/server/csp/index.ts index 78e943ebf772c5..96c359e61e25b2 100644 --- a/src/legacy/server/csp/index.ts +++ b/src/legacy/server/csp/index.ts @@ -28,6 +28,10 @@ export const DEFAULT_CSP_RULES = Object.freeze([ 'child-src blob:', ]); +export const DEFAULT_CSP_STRICT = false; + +export const DEFAULT_CSP_WARN_LEGACY_BROWSERS = true; + export async function generateCSPNonce() { return (await randomBytesAsync(12)).toString('base64'); }