Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Enterprise Search Host to form-action CSP directive #206458

Open
legrego opened this issue Jan 13, 2025 · 2 comments
Open

Add Enterprise Search Host to form-action CSP directive #206458

legrego opened this issue Jan 13, 2025 · 2 comments
Labels
blocked enhancement New value added to drive a business result Feature:Security/CSP Platform Security - Content Security Policy Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@legrego
Copy link
Member

legrego commented Jan 13, 2025
edited
Loading

Our form-action CSP directive is currently set to self. We should add the enterprise search host, if configured via xpack.enterpriseSearch.host (

kibana/x-pack/solutions/search/plugins/enterprise_search/server/index.ts

Line 27 in d62566a

host: schema.maybe(schema.string()),
).

form-action is set as a "report only" directive. Adding this additional host will reduce the noise in our reports, and boost our confidence in promoting this to an enforced directive.

Blocked on portions of #181812
@legrego legrego added enhancement New value added to drive a business result Feature:Security/CSP Platform Security - Content Security Policy Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! labels Jan 13, 2025
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@legrego
Copy link
Member Author

legrego commented Feb 4, 2025

This enterprise search feature has been removed in 9.0, which decreases the priority of this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocked enhancement New value added to drive a business result Feature:Security/CSP Platform Security - Content Security Policy Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@legrego @elasticmachine