Add CSP header to all requests, including api requests #144902
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously api requests didn't include a Content-Security-Policy header
watson
force-pushed
the
csp-everywhere
branch
from
2f3776d
to
0db0c29
Compare
💚 Build Succeeded
Metrics [docs]Unknown metric groupsESLint disabled in files
ESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @watson |
pgayvallet
reviewed
Nov 15, 2022
watson
added
release_note:enhancement
backport:all-open
pgayvallet
approved these changes
Nov 16, 2022
thomheymann
approved these changes
Nov 16, 2022
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Nov 16, 2022
Previously `/api/*` requests didn't include a `Content-Security-Policy` header, now they do. Closes elastic#143871 (cherry picked from commit 5550ab6)
💔 Some backports could not be created
Note: Successful backport PRs will be merged automatically after passing CI. Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Nov 16, 2022
#145449) # Backport This will backport the following commits from `main` to `8.6`: - [Add CSP header to all requests, including api requests (#144902)](#144902) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Thomas Watson","email":"watson@elastic.co"},"sourceCommit":{"committedDate":"2022-11-16T20:45:10Z","message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","backport:all-open","v8.7.0"],"number":144902,"url":"https://github.com/elastic/kibana/pull/144902","mergeCommit":{"message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/144902","number":144902,"mergeCommit":{"message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}}]}] BACKPORT--> Co-authored-by: Thomas Watson <watson@elastic.co>
watson
pushed a commit
to watson/kibana
that referenced
this pull request
Nov 17, 2022
Previously `/api/*` requests didn't include a `Content-Security-Policy` header, now they do. Closes elastic#143871 (cherry picked from commit 5550ab6) # Conflicts: # src/core/server/http_resources/http_resources_service.test.ts # src/core/server/http_resources/http_resources_service.ts
watson
pushed a commit
to watson/kibana
that referenced
this pull request
Nov 17, 2022
Previously `/api/*` requests didn't include a `Content-Security-Policy` header, now they do. Closes elastic#143871 (cherry picked from commit 5550ab6) # Conflicts: # packages/core/http/core-http-server-mocks/src/test_utils.ts # src/core/server/http/lifecycle_handlers.test.ts # src/core/server/http_resources/http_resources_service.test.ts # src/core/server/http_resources/http_resources_service.ts
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
watson
pushed a commit
that referenced
this pull request
Nov 17, 2022
#145552) # Backport This will backport the following commits from `main` to `8.5`: - [Add CSP header to all requests, including api requests (#144902)](#144902) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Thomas Watson","email":"watson@elastic.co"},"sourceCommit":{"committedDate":"2022-11-16T20:45:10Z","message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","backport:all-open","v8.6.0","v8.7.0"],"number":144902,"url":"https://github.com/elastic/kibana/pull/144902","mergeCommit":{"message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/145449","number":145449,"state":"MERGED","mergeCommit":{"sha":"a9f7ba61f128e61beb936d2caff143e93e3321ea","message":"[8.6] Add CSP header to all requests, including api requests (#144902) (#145449)\n\n# Backport\n\nThis will backport the following commits from `main` to `8.6`:\n- [Add CSP header to all requests, including api requests\n(#144902)](https://github.com/elastic/kibana/pull/144902)\n\n<!--- Backport version: 8.9.7 -->\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sqren/backport)\n\n<!--BACKPORT [{\"author\":{\"name\":\"Thomas\nWatson\",\"email\":\"watson@elastic.co\"},\"sourceCommit\":{\"committedDate\":\"2022-11-16T20:45:10Z\",\"message\":\"Add\nCSP header to all requests, including api requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include a\n`Content-Security-Policy`\\r\\nheader, now they do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\",\"branchLabelMapping\":{\"^v8.7.0$\":\"main\",\"^v(\\\\d+).(\\\\d+).\\\\d+$\":\"$1.$2\"}},\"sourcePullRequest\":{\"labels\":[\"release_note:enhancement\",\"backport:all-open\",\"v8.7.0\"],\"number\":144902,\"url\":\"https://github.com/elastic/kibana/pull/144902\",\"mergeCommit\":{\"message\":\"Add\nCSP header to all requests, including api requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include a\n`Content-Security-Policy`\\r\\nheader, now they do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\"}},\"sourceBranch\":\"main\",\"suggestedTargetBranches\":[],\"targetPullRequestStates\":[{\"branch\":\"main\",\"label\":\"v8.7.0\",\"labelRegex\":\"^v8.7.0$\",\"isSourceBranch\":true,\"state\":\"MERGED\",\"url\":\"https://github.com/elastic/kibana/pull/144902\",\"number\":144902,\"mergeCommit\":{\"message\":\"Add\nCSP header to all requests, including api requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include a\n`Content-Security-Policy`\\r\\nheader, now they do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\"}}]}]\nBACKPORT-->\n\nCo-authored-by: Thomas Watson <watson@elastic.co>"}},{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/144902","number":144902,"mergeCommit":{"message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}}]}] BACKPORT-->
KOTungseth
added
the
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
benakansara
pushed a commit
to benakansara/kibana
that referenced
this pull request
Nov 17, 2022
Previously `/api/*` requests didn't include a `Content-Security-Policy` header, now they do. Closes elastic#143871
kibanamachine
added
the
backport missing
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
watson
pushed a commit
that referenced
this pull request
Nov 21, 2022
… (#145553) # Backport This will backport the following commits from `main` to `7.17`: - [Add CSP header to all requests, including api requests (#144902)](#144902) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Thomas Watson","email":"watson@elastic.co"},"sourceCommit":{"committedDate":"2022-11-16T20:45:10Z","message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","backport:all-open","v8.6.0","v8.7.0"],"number":144902,"url":"https://github.com/elastic/kibana/pull/144902","mergeCommit":{"message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/145449","number":145449,"state":"MERGED","mergeCommit":{"sha":"a9f7ba61f128e61beb936d2caff143e93e3321ea","message":"[8.6] Add CSP header to all requests, including api requests (#144902) (#145449)\n\n# Backport\n\nThis will backport the following commits from `main` to `8.6`:\n- [Add CSP header to all requests, including api requests\n(#144902)](https://github.com/elastic/kibana/pull/144902)\n\n<!--- Backport version: 8.9.7 -->\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sqren/backport)\n\n<!--BACKPORT [{\"author\":{\"name\":\"Thomas\nWatson\",\"email\":\"watson@elastic.co\"},\"sourceCommit\":{\"committedDate\":\"2022-11-16T20:45:10Z\",\"message\":\"Add\nCSP header to all requests, including api requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include a\n`Content-Security-Policy`\\r\\nheader, now they do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\",\"branchLabelMapping\":{\"^v8.7.0$\":\"main\",\"^v(\\\\d+).(\\\\d+).\\\\d+$\":\"$1.$2\"}},\"sourcePullRequest\":{\"labels\":[\"release_note:enhancement\",\"backport:all-open\",\"v8.7.0\"],\"number\":144902,\"url\":\"https://github.com/elastic/kibana/pull/144902\",\"mergeCommit\":{\"message\":\"Add\nCSP header to all requests, including api requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include a\n`Content-Security-Policy`\\r\\nheader, now they do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\"}},\"sourceBranch\":\"main\",\"suggestedTargetBranches\":[],\"targetPullRequestStates\":[{\"branch\":\"main\",\"label\":\"v8.7.0\",\"labelRegex\":\"^v8.7.0$\",\"isSourceBranch\":true,\"state\":\"MERGED\",\"url\":\"https://github.com/elastic/kibana/pull/144902\",\"number\":144902,\"mergeCommit\":{\"message\":\"Add\nCSP header to all requests, including api requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include a\n`Content-Security-Policy`\\r\\nheader, now they do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\"}}]}]\nBACKPORT-->\n\nCo-authored-by: Thomas Watson <watson@elastic.co>"}},{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/144902","number":144902,"mergeCommit":{"message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}}]}] BACKPORT--> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
kibanamachine
added
v7.17.8
and removed
backport missing
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously
/api/*requests didn't include aContent-Security-Policyheader, now they do.Closes #143871
Note to reviewers
I've tried to add tests that validate that 1)
kbn-nameandContent-Security-Policycannot be overwitten by plugins/route handlers and 2) all routes are now covered, both/api/*and otherwise. It was difficult to find a good place to test this, but I think what I have now in the PR coveres it. Please verifyRelease note
Adds a
Content-Security-Policyheader to all/api/*responses. Any Kibana HTTP endpoint starting with/api/*previously didn't include aContent-Security-Policyheader, but will now share the same header as the regular Kibana HTTP routes.Todo
/api/*requests now have aContent-Security-Policyheader (I think this is now indirectly checked by the new lifecycle test added in this PR since that's validating any route)Content-Security-Policyheader cannot be overwritten, similar to the old tests