Skip to content

Commit

Permalink
Adding "style-src 'unsafe-inline' 'self'" to default CSP rules (#41305)
Browse files Browse the repository at this point in the history
* Adding "style-src 'unsafe-inline' 'self'" to default CSP rules

* Updating jest snapshot

* Fixing api integration smoke test

* Verifying all CSP responses

* Fixing OIDC implicit flow test
  • Loading branch information
kobelb authored Aug 9, 2019
1 parent 7b39137 commit 2ce2bfb
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 12 deletions.
13 changes: 7 additions & 6 deletions src/legacy/server/csp/index.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -39,12 +39,13 @@ import {
// the nature of a change in defaults during a PR review.
test('default CSP rules', () => {
expect(DEFAULT_CSP_RULES).toMatchInlineSnapshot(`
Array [
"script-src 'unsafe-eval' 'nonce-{nonce}'",
"worker-src blob:",
"child-src blob:",
]
`);
Array [
"script-src 'unsafe-eval' 'nonce-{nonce}'",
"worker-src blob:",
"child-src blob:",
"style-src 'unsafe-inline' 'self'",
]
`);
});

test('CSP strict mode defaults to disabled', () => {
Expand Down
1 change: 1 addition & 0 deletions src/legacy/server/csp/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ export const DEFAULT_CSP_RULES = Object.freeze([
`script-src 'unsafe-eval' 'nonce-{nonce}'`,
'worker-src blob:',
'child-src blob:',
`style-src 'unsafe-inline' 'self'`,
]);

export const DEFAULT_CSP_STRICT = true;
Expand Down
24 changes: 19 additions & 5 deletions test/api_integration/apis/general/csp.js
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,27 @@ export default function ({ getService }) {
const response = await supertest.get('/app/kibana');

expect(response.headers).to.have.property('content-security-policy');
});
const header = response.headers['content-security-policy'];
const parsed = new Map(header.split(';').map(rule => {
const parts = rule.trim().split(' ');
const key = parts.splice(0, 1)[0];
return [key, parts];
}));

it('csp header does not allow all inline scripts', async () => {
const response = await supertest.get('/app/kibana');
// ensure script-src uses a nonce, and remove it so we can .eql everything else
const scriptSrc = parsed.get('script-src');
expect(scriptSrc).to.be.an(Array);
const nonceIndex = scriptSrc.findIndex(value => value.startsWith(`'nonce-`));
expect(nonceIndex).greaterThan(-1);
scriptSrc.splice(nonceIndex, 1);

expect(response.headers['content-security-policy']).to.contain('script-src');
expect(response.headers['content-security-policy']).not.to.contain('unsafe-inline');
const entries = Array.from(parsed.entries());
expect(entries).to.eql([
[ 'script-src', [ '\'unsafe-eval\'' ] ],
[ 'worker-src', [ 'blob:' ] ],
[ 'child-src', [ 'blob:' ] ],
[ 'style-src', [ '\'unsafe-inline\'', '\'self\'' ] ]
]);
});
});
}
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ export default function({ getService }: FtrProviderContext) {
expect(response.headers['content-type']).to.be('text/html; charset=utf-8');
expect(response.headers['cache-control']).to.be('private, no-cache, no-store');
expect(response.headers['content-security-policy']).to.be(
`script-src 'unsafe-eval' 'nonce-${scriptNonce}'; worker-src blob:; child-src blob:`
`script-src 'unsafe-eval' 'nonce-${scriptNonce}'; worker-src blob:; child-src blob:; style-src 'unsafe-inline' 'self'`
);

// Check that script that forwards URL fragment worked correctly.
Expand Down

0 comments on commit 2ce2bfb

Please sign in to comment.