Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate CSP configuration #50644

Closed
3 tasks
mshustov opened this issue Nov 14, 2019 · 9 comments
Closed
3 tasks

Migrate CSP configuration #50644

mshustov opened this issue Nov 14, 2019 · 9 comments
Labels
Feature:Legacy Removal Issues related to removing legacy Kibana Feature:New Platform Feature:Security/CSP Platform Security - Content Security Policy Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc

Comments

@mshustov
Copy link
Contributor

mshustov commented Nov 14, 2019

Defines default CSP configuration.
It probably should be a part of the core HTTP service if necessary for the rendering service #41964

@mshustov mshustov added blocker Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Feature:New Platform labels Nov 14, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-platform (Team:Platform)

@joshdover
Copy link
Contributor

@Bamieh There are currently two usage collectors in the legacy kibana plugin, one for CSP and one for KQL usage. This plugin won't exist in the future (each app is being split out into its own plugin), so where do you suggest these usage collectors live?

For KQL, I think it would make sense to move it to the data plugin which owns KQL. However, for CSP, I think we should consider moving this to the OSS telemetry plugin. Reason being is that this feature is owned by Core, but we cannot have usage collectors in Core.

Thoughts?

@mshustov
Copy link
Contributor Author

This logic also can be extracted out of chrome

if (!this.params.browserSupportsCsp && injectedMetadata.getCspConfig().warnLegacyBrowsers) {
  notifications.toasts.addWarning(
    i18n.translate('core.chrome.legacyBrowserWarning', {
      defaultMessage: 'Your browser does not meet the security requirements for Kibana.',
    })
  );
}

https://github.com/elastic/kibana/blob/master/src/core/public/chrome/chrome_service.tsx#L158

@joshdover
Copy link
Contributor

@Bamieh bump on the question above regarding the CSP usage collector ^^

@joshdover joshdover removed their assignment Jan 13, 2020
@joshdover
Copy link
Contributor

@restrry will this be covered as part of #50654?

@mshustov
Copy link
Contributor Author

@joshdover nope, we will set csp header on all HTML pages automatically, but renaming the config is a separate task.

@joshdover
Copy link
Contributor

Ah yes forgot about the rename, should be trivial though 👍

@Bamieh
Copy link
Member

Bamieh commented Mar 23, 2020

@joshdover for some reason i had this issue on mute. Feel free to move the collector to the telemetry plugin until we find a better place for it to live at.

@joshdover joshdover added Feature:Legacy Removal Issues related to removing legacy Kibana and removed blocker labels Apr 26, 2020
@jportner jportner added the Feature:Security/CSP Platform Security - Content Security Policy label Dec 3, 2021
@jportner jportner removed their assignment Dec 3, 2021
@pgayvallet
Copy link
Contributor

CSP has been integrated to Core's http domain a while back. Closing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Legacy Removal Issues related to removing legacy Kibana Feature:New Platform Feature:Security/CSP Platform Security - Content Security Policy Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc
Projects
Status: Done (7.13)
Development

No branches or pull requests

6 participants