-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DISCUSS] Use script-src 'self'
instead of script-src 'nonce-<base64-value>'
#42497
Comments
Pinging @elastic/kibana-security |
/cc @epixa |
Using the nonce directive in our CSP policy adds friction to adding dynamic import support to New Platform plugins. Dynamic imports are considered a necessity for NP plugins due the fact that all NP plugins will run in the browser at once, and not being able to use dynamic imports will make these bundles grow very large. When a NP plugin tries to use a dynamic import, Webpack does not attach the nonce directive to the
This can be worked around by adding the Additionally, it seems dangerous to expose our CSP nonce as a global variable. I could be wrong, but it seems malicious code could use this nonce to load untrusted scripts from external sources with this knowledge. Moving to 'self' would solve this problem completely by allowing any scripts from the Kibana server to be loaded. |
This was briefly discussed with the original implementation of CSP. Even if we didn't expose the CSP nonce as a global variable, already running JavaScript is able to query the DOM to find a script tag with an existing |
From a security perspective, I think the difference between I think this is more of an exercise of theory than of practice though. If We have to carefully consider BWC ramifications of doing this in 7.x. I'm not sure we should rule it out, but we should understand the ramifications. |
That's a good point I hadn't thought of. Theoretically, we could instruct administrators to customize their csp rules to specify a host including the sub-paths in these situations. This isn't likely something we'd want to do automatically though, as Kibana is commonly behind a reverse-proxy or load balancer and getting users to configure the "public facing URL" of Kibana has proven problematic for both Reporting and SAML.
Are there any BWC ramifications that you're thinking of? The only ones that come to mind are third-party plugins which are currently using the |
@kobelb If people modified their |
Good call. In a similar vein, we'd likely want to force add the |
@kobelb I can implement this if needed, just let me know. |
@joshdover if you're offering, and there are no other objections, by all means! |
The current default CSP rules use
script-src 'unsafe-eval' 'nonce-<base64-value>'
. This has proven problematic when using third-party dependencies which load their own scripts, requires plugin authors to add anonce
in certain situations and it's now proving problematic for the new platform to support dynamic imports.I was recently reading through the white-paper which was the impetus for the introduction of the concept of a nonce to determine the original problem that they were trying to solve, to determine whether it'd be appropriate for us to switch to
script-src 'self'
or whether we'd be abandoning the benefits of the nonce. Based on my understanding of the paper, the concept of a nonce was added because a large number of CSP policies ended up white-listing unsafe endpoints which allowed attackers to perform a XSS. This would not be an issue if we were to switch toscript-src 'self'
as we would only be allowed to load scripts from Kibana itself, which is a secure endpoint.I'm unable to think of any other reason which would prevent us from switching to
script-src 'self'
, but I'd like to hear from others before making this decision.The text was updated successfully, but these errors were encountered: