-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[8.0] Remove support for configuring csp.rules #114379
[8.0] Remove support for configuring csp.rules #114379
Conversation
@elasticmachine merge upstream |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kibana-docker LGTM
Pinging @elastic/kibana-core (Team:Core) |
@elasticmachine merge upstream |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, found a couple of tiny nits in the comments below. Also one more in the dev docs but GitHub won't let me add comments on unchanged sections. Suggested change:
diff --git a/docs/setup/settings.asciidoc b/docs/setup/settings.asciidoc
index 6d086de63c3..88d8b7f9da5 100644
--- a/docs/setup/settings.asciidoc
+++ b/docs/setup/settings.asciidoc
@@ -495,8 +495,8 @@ To disable, set to `null`. *Default:* `null`
| Controls whether the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy[`Content-Security-Policy`] and
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options[`X-Frame-Options`] headers are configured to disable embedding
{kib} in other webpages using iframes. When set to `true`, secure headers are used to disable embedding, which adds the `frame-ancestors:
-'self'` directive to the `Content-Security-Policy` response header (if you are using the default CSP rules), and adds the `X-Frame-Options:
-SAMEORIGIN` response header. *Default:* `false`
+'self'` directive to the `Content-Security-Policy` response header and adds the `X-Frame-Options: SAMEORIGIN` response header. *Default:*
+`false`
| `server.customResponseHeaders:` {ess-icon}
| Header names and values to
docs/development/core/server/kibana-plugin-core-server.icspconfig.disableembedding.md
Show resolved
Hide resolved
this.#directives.clearDirectiveValues('frame-ancestors'); | ||
this.#directives.addDirectiveValue('frame-ancestors', `'self'`); | ||
} | ||
|
||
this.rules = this.#directives.getRules(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This class was the only consumer of CspDirectives.getRules()
. I don't suppose we ever actually needed to expose the individual rules anyway, we really just needed to expose the CSP header.
Nit: Since you've removed this usage here, you could remove that method from the CspDirectives
class (or just make it private) and remove those assertions from its unit tests, too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
True, there's no need to keep getRules
since we are only using it within the CspDirectives
class. I've removed it (inlining directly in getCspHeader
) and updated the tests.
src/core/server/http_resources/integration_tests/http_resources_service.test.ts
Outdated
Show resolved
Hide resolved
src/core/server/http_resources/integration_tests/http_resources_service.test.ts
Outdated
Show resolved
Hide resolved
@elasticmachine merge upstream |
@elasticmachine merge upstream |
@elasticmachine merge upstream |
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
History
To update your PR or re-run it, just comment with: |
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Related to #103915
Removes support for
csp.rules
CSP misconfiguration is a regular cause of frustration for users and support tickets and to help alleviate the issue, we implemented additive configuration. Configuring
csp.rules
was deprecated at the same time with a warning that support for the configuration would be removed in 8.0.This PR removes support for configuring csp.rules and as a consequence.
As a consequence, this PR also handles the conditional config deprecation on specific rules (can't include
nonce
, must includeself
introduced in 7.4)Note: The underlying implementation remains the same in that we combine the default Kibana rules with specific, per-directive configurations to compose the http request header.
Checklist
added to/removed from the docker listIf a plugin configuration key changed, check if it needs to be allowlisted in the cloud
For maintainers
Release Note
Support for the
csp.rules
configuration property has been removed in favor of directive specific configuration. Configuring the defaultcsp.script_src
,csp.workers_src
andcsp.style_src
values is not required.