Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apply Content-Security-Policy to all server responses #143871

Closed
legrego opened this issue Oct 24, 2022 · 1 comment · Fixed by #144902
Closed

Apply Content-Security-Policy to all server responses #143871

legrego opened this issue Oct 24, 2022 · 1 comment · Fixed by #144902
Labels
enhancement New value added to drive a business result Feature:Hardening Harding of Kibana from a security perspective Feature:Security/CSP Platform Security - Content Security Policy Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@legrego
Copy link
Member

legrego commented Oct 24, 2022

We include a Content-Security-Policy on all app requests, but calls that only return data (e.g. /api/*) are not currently protected.

We discussed a more restrictive CSP for these types of requests (#51323), but we feel that:

  1. It's confusing for administrators from a configuration standpoint
  2. It's riskier from a backwards compatibility standpoint. We may consider adopting Default restrictive Content Security Policy for non-app requests #51323 as part of a major release.

Tasks:

  1. Find a common injection point for all CSP responses. For inspiration, we can see what we did here: Add config properties for HTTP security headers #97158.
  2. Remove existing CSP injection points (e.g.

    kibana/packages/core/http/core-http-resources-server-internal/src/http_resources_service.ts

    Line 119 in c8a2ee2

    headers: { ...options.headers, 'content-security-policy': cspHeader },
    )
  3. Additional tests to ensure this is functioning properly
@legrego legrego added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! enhancement New value added to drive a business result Feature:Security/CSP Platform Security - Content Security Policy Feature:Hardening Harding of Kibana from a security perspective labels Oct 24, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@watson watson mentioned this issue Nov 9, 2022
Merged
5 tasks
watson pushed a commit that referenced this issue Nov 16, 2022
Add CSP header to all requests, including api requests (#144902)
5550ab6 
Previously `/api/*` requests didn't include a `Content-Security-Policy`
header, now they do.

Closes #143871
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Nov 16, 2022
Add CSP header to all requests, including api requests (elastic#144902)
296444e 
Previously `/api/*` requests didn't include a `Content-Security-Policy`
header, now they do.

Closes elastic#143871

(cherry picked from commit 5550ab6)
kibanamachine added a commit that referenced this issue Nov 16, 2022
@kibanamachine
[8.6] Add CSP header to all requests, including api requests (#144902) (
a9f7ba6 
#145449)

# Backport

This will backport the following commits from `main` to `8.6`:
- [Add CSP header to all requests, including api requests
(#144902)](#144902)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Thomas
Watson","email":"watson@elastic.co"},"sourceCommit":{"committedDate":"2022-11-16T20:45:10Z","message":"Add
CSP header to all requests, including api requests
(#144902)\n\nPreviously `/api/*` requests didn't include a
`Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses
#143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","backport:all-open","v8.7.0"],"number":144902,"url":"https://github.com/elastic/kibana/pull/144902","mergeCommit":{"message":"Add
CSP header to all requests, including api requests
(#144902)\n\nPreviously `/api/*` requests didn't include a
`Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses
#143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/144902","number":144902,"mergeCommit":{"message":"Add
CSP header to all requests, including api requests
(#144902)\n\nPreviously `/api/*` requests didn't include a
`Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses
#143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}}]}]
BACKPORT-->

Co-authored-by: Thomas Watson <watson@elastic.co>
@watson watson mentioned this issue Nov 17, 2022
Merged
watson pushed a commit to watson/kibana that referenced this issue Nov 17, 2022
Add CSP header to all requests, including api requests (elastic#144902)
ffe9a55 
Previously `/api/*` requests didn't include a `Content-Security-Policy`
header, now they do.

Closes elastic#143871

(cherry picked from commit 5550ab6)

# Conflicts:
#	src/core/server/http_resources/http_resources_service.test.ts
#	src/core/server/http_resources/http_resources_service.ts
watson pushed a commit to watson/kibana that referenced this issue Nov 17, 2022
Add CSP header to all requests, including api requests (elastic#144902)
553bad0 
Previously `/api/*` requests didn't include a `Content-Security-Policy`
header, now they do.

Closes elastic#143871

(cherry picked from commit 5550ab6)

# Conflicts:
#	packages/core/http/core-http-server-mocks/src/test_utils.ts
#	src/core/server/http/lifecycle_handlers.test.ts
#	src/core/server/http_resources/http_resources_service.test.ts
#	src/core/server/http_resources/http_resources_service.ts
@watson watson mentioned this issue Nov 17, 2022
Merged
watson pushed a commit that referenced this issue Nov 17, 2022
[8.5] Add CSP header to all requests, including api requests (#144902) (
723a55e 
#145552)

# Backport

This will backport the following commits from `main` to `8.5`:
- [Add CSP header to all requests, including api requests
(#144902)](#144902)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Thomas
Watson","email":"watson@elastic.co"},"sourceCommit":{"committedDate":"2022-11-16T20:45:10Z","message":"Add
CSP header to all requests, including api requests
(#144902)\n\nPreviously `/api/*` requests didn't include a
`Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses
#143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","backport:all-open","v8.6.0","v8.7.0"],"number":144902,"url":"https://github.com/elastic/kibana/pull/144902","mergeCommit":{"message":"Add
CSP header to all requests, including api requests
(#144902)\n\nPreviously `/api/*` requests didn't include a
`Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses
#143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/145449","number":145449,"state":"MERGED","mergeCommit":{"sha":"a9f7ba61f128e61beb936d2caff143e93e3321ea","message":"[8.6]
Add CSP header to all requests, including api requests (#144902)
(#145449)\n\n# Backport\n\nThis will backport the following commits from
`main` to `8.6`:\n- [Add CSP header to all requests, including api
requests\n(#144902)](https://github.com/elastic/kibana/pull/144902)\n\n<!---
Backport version: 8.9.7 -->\n\n### Questions ?\nPlease refer to the
[Backport
tool\ndocumentation](https://github.com/sqren/backport)\n\n<!--BACKPORT
[{\"author\":{\"name\":\"Thomas\nWatson\",\"email\":\"watson@elastic.co\"},\"sourceCommit\":{\"committedDate\":\"2022-11-16T20:45:10Z\",\"message\":\"Add\nCSP
header to all requests, including api
requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include
a\n`Content-Security-Policy`\\r\\nheader, now they
do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\",\"branchLabelMapping\":{\"^v8.7.0$\":\"main\",\"^v(\\\\d+).(\\\\d+).\\\\d+$\":\"$1.$2\"}},\"sourcePullRequest\":{\"labels\":[\"release_note:enhancement\",\"backport:all-open\",\"v8.7.0\"],\"number\":144902,\"url\":\"https://github.com/elastic/kibana/pull/144902\",\"mergeCommit\":{\"message\":\"Add\nCSP
header to all requests, including api
requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include
a\n`Content-Security-Policy`\\r\\nheader, now they
do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\"}},\"sourceBranch\":\"main\",\"suggestedTargetBranches\":[],\"targetPullRequestStates\":[{\"branch\":\"main\",\"label\":\"v8.7.0\",\"labelRegex\":\"^v8.7.0$\",\"isSourceBranch\":true,\"state\":\"MERGED\",\"url\":\"https://github.com/elastic/kibana/pull/144902\",\"number\":144902,\"mergeCommit\":{\"message\":\"Add\nCSP
header to all requests, including api
requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include
a\n`Content-Security-Policy`\\r\\nheader, now they
do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\"}}]}]\nBACKPORT-->\n\nCo-authored-by:
Thomas Watson
<watson@elastic.co>"}},{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/144902","number":144902,"mergeCommit":{"message":"Add
CSP header to all requests, including api requests
(#144902)\n\nPreviously `/api/*` requests didn't include a
`Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses
#143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}}]}]
BACKPORT-->
benakansara pushed a commit to benakansara/kibana that referenced this issue Nov 17, 2022
@benakansara
Add CSP header to all requests, including api requests (elastic#144902)
59cfa35 
Previously `/api/*` requests didn't include a `Content-Security-Policy`
header, now they do.

Closes elastic#143871
watson pushed a commit that referenced this issue Nov 21, 2022
@kibanamachine
[7.17] Add CSP header to all requests, including api requests (#144902)…
18c40db 
… (#145553)

# Backport

This will backport the following commits from `main` to `7.17`:
- [Add CSP header to all requests, including api requests
(#144902)](#144902)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Thomas
Watson","email":"watson@elastic.co"},"sourceCommit":{"committedDate":"2022-11-16T20:45:10Z","message":"Add
CSP header to all requests, including api requests
(#144902)\n\nPreviously `/api/*` requests didn't include a
`Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses
#143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","backport:all-open","v8.6.0","v8.7.0"],"number":144902,"url":"https://github.com/elastic/kibana/pull/144902","mergeCommit":{"message":"Add
CSP header to all requests, including api requests
(#144902)\n\nPreviously `/api/*` requests didn't include a
`Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses
#143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/145449","number":145449,"state":"MERGED","mergeCommit":{"sha":"a9f7ba61f128e61beb936d2caff143e93e3321ea","message":"[8.6]
Add CSP header to all requests, including api requests (#144902)
(#145449)\n\n# Backport\n\nThis will backport the following commits from
`main` to `8.6`:\n- [Add CSP header to all requests, including api
requests\n(#144902)](https://github.com/elastic/kibana/pull/144902)\n\n<!---
Backport version: 8.9.7 -->\n\n### Questions ?\nPlease refer to the
[Backport
tool\ndocumentation](https://github.com/sqren/backport)\n\n<!--BACKPORT
[{\"author\":{\"name\":\"Thomas\nWatson\",\"email\":\"watson@elastic.co\"},\"sourceCommit\":{\"committedDate\":\"2022-11-16T20:45:10Z\",\"message\":\"Add\nCSP
header to all requests, including api
requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include
a\n`Content-Security-Policy`\\r\\nheader, now they
do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\",\"branchLabelMapping\":{\"^v8.7.0$\":\"main\",\"^v(\\\\d+).(\\\\d+).\\\\d+$\":\"$1.$2\"}},\"sourcePullRequest\":{\"labels\":[\"release_note:enhancement\",\"backport:all-open\",\"v8.7.0\"],\"number\":144902,\"url\":\"https://github.com/elastic/kibana/pull/144902\",\"mergeCommit\":{\"message\":\"Add\nCSP
header to all requests, including api
requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include
a\n`Content-Security-Policy`\\r\\nheader, now they
do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\"}},\"sourceBranch\":\"main\",\"suggestedTargetBranches\":[],\"targetPullRequestStates\":[{\"branch\":\"main\",\"label\":\"v8.7.0\",\"labelRegex\":\"^v8.7.0$\",\"isSourceBranch\":true,\"state\":\"MERGED\",\"url\":\"https://github.com/elastic/kibana/pull/144902\",\"number\":144902,\"mergeCommit\":{\"message\":\"Add\nCSP
header to all requests, including api
requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include
a\n`Content-Security-Policy`\\r\\nheader, now they
do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\"}}]}]\nBACKPORT-->\n\nCo-authored-by:
Thomas Watson
<watson@elastic.co>"}},{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/144902","number":144902,"mergeCommit":{"message":"Add
CSP header to all requests, including api requests
(#144902)\n\nPreviously `/api/*` requests didn't include a
`Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses
#143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}}]}]
BACKPORT-->

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New value added to drive a business result Feature:Hardening Harding of Kibana from a security perspective Feature:Security/CSP Platform Security - Content Security Policy Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add CSP header to all requests, including api requests watson/kibana
2 participants
@legrego @elasticmachine