-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CSP header to all requests, including api requests #144902
Conversation
Previously api requests didn't include a Content-Security-Policy header
2f3776d
to
0db0c29
Compare
💚 Build Succeeded
Metrics [docs]Unknown metric groupsESLint disabled in files
ESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @watson |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
. It's not any more work to do it now than to do it later, if anything, it's easier to implement once we have a concrete use-case.
Fair enough
!remindme 6m
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! All working as expected.
Previously `/api/*` requests didn't include a `Content-Security-Policy` header, now they do. Closes elastic#143871 (cherry picked from commit 5550ab6)
💔 Some backports could not be created
Note: Successful backport PRs will be merged automatically after passing CI. Manual backportTo create the backport manually run:
Questions ?Please refer to the Backport tool documentation |
#145449) # Backport This will backport the following commits from `main` to `8.6`: - [Add CSP header to all requests, including api requests (#144902)](#144902) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Thomas Watson","email":"watson@elastic.co"},"sourceCommit":{"committedDate":"2022-11-16T20:45:10Z","message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","backport:all-open","v8.7.0"],"number":144902,"url":"https://github.com/elastic/kibana/pull/144902","mergeCommit":{"message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/144902","number":144902,"mergeCommit":{"message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}}]}] BACKPORT--> Co-authored-by: Thomas Watson <watson@elastic.co>
Previously `/api/*` requests didn't include a `Content-Security-Policy` header, now they do. Closes elastic#143871 (cherry picked from commit 5550ab6) # Conflicts: # src/core/server/http_resources/http_resources_service.test.ts # src/core/server/http_resources/http_resources_service.ts
Previously `/api/*` requests didn't include a `Content-Security-Policy` header, now they do. Closes elastic#143871 (cherry picked from commit 5550ab6) # Conflicts: # packages/core/http/core-http-server-mocks/src/test_utils.ts # src/core/server/http/lifecycle_handlers.test.ts # src/core/server/http_resources/http_resources_service.test.ts # src/core/server/http_resources/http_resources_service.ts
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
#145552) # Backport This will backport the following commits from `main` to `8.5`: - [Add CSP header to all requests, including api requests (#144902)](#144902) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Thomas Watson","email":"watson@elastic.co"},"sourceCommit":{"committedDate":"2022-11-16T20:45:10Z","message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","backport:all-open","v8.6.0","v8.7.0"],"number":144902,"url":"https://github.com/elastic/kibana/pull/144902","mergeCommit":{"message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/145449","number":145449,"state":"MERGED","mergeCommit":{"sha":"a9f7ba61f128e61beb936d2caff143e93e3321ea","message":"[8.6] Add CSP header to all requests, including api requests (#144902) (#145449)\n\n# Backport\n\nThis will backport the following commits from `main` to `8.6`:\n- [Add CSP header to all requests, including api requests\n(#144902)](https://github.com/elastic/kibana/pull/144902)\n\n<!--- Backport version: 8.9.7 -->\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sqren/backport)\n\n<!--BACKPORT [{\"author\":{\"name\":\"Thomas\nWatson\",\"email\":\"watson@elastic.co\"},\"sourceCommit\":{\"committedDate\":\"2022-11-16T20:45:10Z\",\"message\":\"Add\nCSP header to all requests, including api requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include a\n`Content-Security-Policy`\\r\\nheader, now they do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\",\"branchLabelMapping\":{\"^v8.7.0$\":\"main\",\"^v(\\\\d+).(\\\\d+).\\\\d+$\":\"$1.$2\"}},\"sourcePullRequest\":{\"labels\":[\"release_note:enhancement\",\"backport:all-open\",\"v8.7.0\"],\"number\":144902,\"url\":\"https://github.com/elastic/kibana/pull/144902\",\"mergeCommit\":{\"message\":\"Add\nCSP header to all requests, including api requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include a\n`Content-Security-Policy`\\r\\nheader, now they do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\"}},\"sourceBranch\":\"main\",\"suggestedTargetBranches\":[],\"targetPullRequestStates\":[{\"branch\":\"main\",\"label\":\"v8.7.0\",\"labelRegex\":\"^v8.7.0$\",\"isSourceBranch\":true,\"state\":\"MERGED\",\"url\":\"https://github.com/elastic/kibana/pull/144902\",\"number\":144902,\"mergeCommit\":{\"message\":\"Add\nCSP header to all requests, including api requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include a\n`Content-Security-Policy`\\r\\nheader, now they do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\"}}]}]\nBACKPORT-->\n\nCo-authored-by: Thomas Watson <watson@elastic.co>"}},{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/144902","number":144902,"mergeCommit":{"message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}}]}] BACKPORT-->
Pinging @elastic/kibana-security (Team:Security) |
Previously `/api/*` requests didn't include a `Content-Security-Policy` header, now they do. Closes elastic#143871
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
… (#145553) # Backport This will backport the following commits from `main` to `7.17`: - [Add CSP header to all requests, including api requests (#144902)](#144902) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Thomas Watson","email":"watson@elastic.co"},"sourceCommit":{"committedDate":"2022-11-16T20:45:10Z","message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","backport:all-open","v8.6.0","v8.7.0"],"number":144902,"url":"https://github.com/elastic/kibana/pull/144902","mergeCommit":{"message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/145449","number":145449,"state":"MERGED","mergeCommit":{"sha":"a9f7ba61f128e61beb936d2caff143e93e3321ea","message":"[8.6] Add CSP header to all requests, including api requests (#144902) (#145449)\n\n# Backport\n\nThis will backport the following commits from `main` to `8.6`:\n- [Add CSP header to all requests, including api requests\n(#144902)](https://github.com/elastic/kibana/pull/144902)\n\n<!--- Backport version: 8.9.7 -->\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sqren/backport)\n\n<!--BACKPORT [{\"author\":{\"name\":\"Thomas\nWatson\",\"email\":\"watson@elastic.co\"},\"sourceCommit\":{\"committedDate\":\"2022-11-16T20:45:10Z\",\"message\":\"Add\nCSP header to all requests, including api requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include a\n`Content-Security-Policy`\\r\\nheader, now they do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\",\"branchLabelMapping\":{\"^v8.7.0$\":\"main\",\"^v(\\\\d+).(\\\\d+).\\\\d+$\":\"$1.$2\"}},\"sourcePullRequest\":{\"labels\":[\"release_note:enhancement\",\"backport:all-open\",\"v8.7.0\"],\"number\":144902,\"url\":\"https://github.com/elastic/kibana/pull/144902\",\"mergeCommit\":{\"message\":\"Add\nCSP header to all requests, including api requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include a\n`Content-Security-Policy`\\r\\nheader, now they do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\"}},\"sourceBranch\":\"main\",\"suggestedTargetBranches\":[],\"targetPullRequestStates\":[{\"branch\":\"main\",\"label\":\"v8.7.0\",\"labelRegex\":\"^v8.7.0$\",\"isSourceBranch\":true,\"state\":\"MERGED\",\"url\":\"https://github.com/elastic/kibana/pull/144902\",\"number\":144902,\"mergeCommit\":{\"message\":\"Add\nCSP header to all requests, including api requests\n(#144902)\\n\\nPreviously `/api/*` requests didn't include a\n`Content-Security-Policy`\\r\\nheader, now they do.\\r\\n\\r\\nCloses\n#143871\",\"sha\":\"5550ab6cb10fbfddf437a74900103bb33dd1afa4\"}}]}]\nBACKPORT-->\n\nCo-authored-by: Thomas Watson <watson@elastic.co>"}},{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/144902","number":144902,"mergeCommit":{"message":"Add CSP header to all requests, including api requests (#144902)\n\nPreviously `/api/*` requests didn't include a `Content-Security-Policy`\r\nheader, now they do.\r\n\r\nCloses #143871","sha":"5550ab6cb10fbfddf437a74900103bb33dd1afa4"}}]}] BACKPORT--> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Previously
/api/*
requests didn't include aContent-Security-Policy
header, now they do.Closes #143871
Note to reviewers
I've tried to add tests that validate that 1)
kbn-name
andContent-Security-Policy
cannot be overwitten by plugins/route handlers and 2) all routes are now covered, both/api/*
and otherwise. It was difficult to find a good place to test this, but I think what I have now in the PR coveres it. Please verifyRelease note
Adds a
Content-Security-Policy
header to all/api/*
responses. Any Kibana HTTP endpoint starting with/api/*
previously didn't include aContent-Security-Policy
header, but will now share the same header as the regular Kibana HTTP routes.Todo
/api/*
requests now have aContent-Security-Policy
header (I think this is now indirectly checked by the new lifecycle test added in this PR since that's validating any route)Content-Security-Policy
header cannot be overwritten, similar to the old tests