[8.0] Remove support for configuring csp.rules #114379
Conversation
TinaHeiligers
added
backport:skip
|
@elasticmachine merge upstream |
TinaHeiligers
added
the
Team:Core
|
Pinging @elastic/kibana-core (Team:Core) |
TinaHeiligers
added
the
Feature:Security/CSP
|
@elasticmachine merge upstream |
There was a problem hiding this comment.
LGTM, found a couple of tiny nits in the comments below. Also one more in the dev docs but GitHub won't let me add comments on unchanged sections. Suggested change:
diff --git a/docs/setup/settings.asciidoc b/docs/setup/settings.asciidoc
index 6d086de63c3..88d8b7f9da5 100644
--- a/docs/setup/settings.asciidoc
+++ b/docs/setup/settings.asciidoc
@@ -495,8 +495,8 @@ To disable, set to `null`. *Default:* `null`
| Controls whether the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy[`Content-Security-Policy`] and
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options[`X-Frame-Options`] headers are configured to disable embedding
{kib} in other webpages using iframes. When set to `true`, secure headers are used to disable embedding, which adds the `frame-ancestors:
-'self'` directive to the `Content-Security-Policy` response header (if you are using the default CSP rules), and adds the `X-Frame-Options:
-SAMEORIGIN` response header. *Default:* `false`
+'self'` directive to the `Content-Security-Policy` response header and adds the `X-Frame-Options: SAMEORIGIN` response header. *Default:*
+`false`
| `server.customResponseHeaders:` {ess-icon}
| Header names and values to
docs/development/core/server/kibana-plugin-core-server.icspconfig.disableembedding.md
Show resolved
Hide resolved
| this.#directives.clearDirectiveValues('frame-ancestors'); | ||
| this.#directives.addDirectiveValue('frame-ancestors', `'self'`); | ||
| } | ||
|
|
||
| this.rules = this.#directives.getRules(); |
There was a problem hiding this comment.
This class was the only consumer of CspDirectives.getRules(). I don't suppose we ever actually needed to expose the individual rules anyway, we really just needed to expose the CSP header.
Nit: Since you've removed this usage here, you could remove that method from the CspDirectives class (or just make it private) and remove those assertions from its unit tests, too.
There was a problem hiding this comment.
True, there's no need to keep getRules since we are only using it within the CspDirectives class. I've removed it (inlining directly in getCspHeader) and updated the tests.
src/core/server/http_resources/integration_tests/http_resources_service.test.ts
Outdated
Show resolved
Hide resolved
src/core/server/http_resources/integration_tests/http_resources_service.test.ts
Outdated
Show resolved
Hide resolved
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
History
To update your PR or re-run it, just comment with: |
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Related to #103915
Removes support for
csp.rulesCSP misconfiguration is a regular cause of frustration for users and support tickets and to help alleviate the issue, we implemented additive configuration. Configuring
csp.ruleswas deprecated at the same time with a warning that support for the configuration would be removed in 8.0.This PR removes support for configuring csp.rules and as a consequence.
As a consequence, this PR also handles the conditional config deprecation on specific rules (can't include
nonce, must includeselfintroduced in 7.4)Note: The underlying implementation remains the same in that we combine the default Kibana rules with specific, per-directive configurations to compose the http request header.
Checklist
added to/removed from the docker listIf a plugin configuration key changed, check if it needs to be allowlisted in the cloud
For maintainers
Release Note
Support for the
csp.rulesconfiguration property has been removed in favor of directive specific configuration. Configuring the defaultcsp.script_src,csp.workers_srcandcsp.style_srcvalues is not required.