Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default restrictive Content Security Policy for non-app requests #51323

Open
kobelb opened this issue Nov 21, 2019 · 1 comment
Open

Default restrictive Content Security Policy for non-app requests #51323

kobelb opened this issue Nov 21, 2019 · 1 comment
Labels
Feature:Hardening Harding of Kibana from a security perspective Feature:Security/CSP Platform Security - Content Security Policy Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@kobelb
Copy link
Contributor

kobelb commented Nov 21, 2019
edited by exalate-issue-sync bot
Loading

Requests to load the client-side of Kibana will still be served with the content security policy defined with csp.rules, but other responses sent from Kibana server could include a content security policy that is especially restrictive.

For most static files this isn't necessary, but it also isn't harmful. For certain static files, like svgs, this policy will help protect against dynamic scripting when loading them directly in the browser.

Originally started #47375.

As noted in #47375, we should start by introducing a CSP of 

'content-security-policy': default-src 'none'
for any response which does not itself include a CSP.

PR should also include functional (end-to-end) tests verifying this behavior.

This comment notes the following:

this likely breaks the graphql dev interface that is being used at least for SIEM.

I do not believe that SIEM uses graphql anymore, so this is likely something that we don't have to worry about.
@kobelb kobelb added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! Feature:Security/CSP Platform Security - Content Security Policy labels Nov 21, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@kobelb kobelb added the Feature:Hardening Harding of Kibana from a security perspective label Nov 21, 2019
@exalate-issue-sync exalate-issue-sync bot added impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:small Small Level of Effort labels Aug 4, 2021
@legrego legrego removed EnableJiraSync loe:small Small Level of Effort impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. labels Aug 18, 2022
@legrego legrego mentioned this issue Oct 24, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature:Hardening Harding of Kibana from a security perspective Feature:Security/CSP Platform Security - Content Security Policy Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@watson @kobelb @legrego @elasticmachine