Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add nonce- to our CSP policy to allow inlining bootstrap.js inside the application document #93785

Open
pgayvallet opened this issue Mar 5, 2021 · 9 comments
Open

Add nonce- to our CSP policy to allow inlining bootstrap.js inside the application document #93785

pgayvallet opened this issue Mar 5, 2021 · 9 comments
Labels
Feature:Security/CSP Platform Security - Content Security Policy Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@pgayvallet
Copy link
Contributor

In #92784, we migrated the /bootstrap.js endpoint from legacy to core.

The /bootstrap.js endpoint is now an unnecessary request, as we are technically able to inline this script in the application's document generated by the rendering service. However, our CSP policy currently forbid that, as we are legitimately disabling unsafe-inline by default.

Ideally, we would generate a nonce- id for each application request, and use it in the rendering service to add the nonce attribute to scripts we need to inline.
@pgayvallet pgayvallet added Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:APM All issues that need APM UI Team support Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! labels Mar 5, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-core (Team:Core)

@elasticmachine
Copy link
Contributor

Pinging @elastic/apm-ui (Team:apm)

@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@pgayvallet pgayvallet removed the Team:APM All issues that need APM UI Team support label Mar 5, 2021
@pgayvallet pgayvallet mentioned this issue Mar 5, 2021
Merged
2 tasks
@jportner
Copy link
Contributor

jportner commented Mar 5, 2021

Is there any reason we couldn't use a hash of the script instead of generating a new nonce with each request? Seems that it will accomplish what we want and it will be easier to implement.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

@legrego
Copy link
Member

legrego commented Mar 5, 2021

I'm not opposed to exploring the hash approach if that's viable. My one reservation is that it won't scale very well: while I don't expect to have a ton of these, there are at least 2 JavaScript assets within the security plugin that could benefit from the nonce approach too.

@pgayvallet
Copy link
Contributor Author

Is there any reason we couldn't use a hash of the script instead of generating a new nonce with each request

AFAIK not really, we could definitely use a hash-based nonce for the specific bootstrap.js need.

Note that I'm not sure this is really better, as we would have to expose an API inside core to allow addition of such nonce- when serving document requests, which doesn't necessarily sound more secure that a per-request generated value?

Also, as @legrego said, this seems way less generic and re-usable (even if I'm not well aware of what exactly the security plugin would like to leverage the inline scripts for)

@jportner
Copy link
Contributor

jportner commented Mar 8, 2021
edited
Loading

AFAIK not really, we could definitely use a hash-based nonce for the specific bootstrap.js need.

Note that I'm not sure this is really better, as we would have to expose an API inside core to allow addition of such nonce- when serving document requests, which doesn't necessarily sound more secure that a per-request generated value?

I was suggesting using a hash instead of a nonce, not a hash-based nonce. As described in the linked MDN page:

'<hash-algorithm>-<base64-value>'
A sha256, sha384 or sha512 hash of scripts or styles. The use of this source consists of two portions separated by a dash: the encryption algorithm used to create the hash and the base64-encoded hash of the script or style. When generating the hash, don't include the <script> or <style> tags and note that capitalization and whitespace matter, including leading or trailing whitespace. See unsafe inline script for an example. In CSP 2.0, this applied only to inline scripts. CSP 3.0 allows it in the case of script-src for external scripts.

If you use a nonce, the HTTP server has to calculate a new nonce for every single request and expose that for consumers (in this case the RenderingService) to insert it where the script is inlined.

With the hashing approach, consumers can independently define hashes for the scripts that need to be inlined, and register those hashes with the HTTP server so that they can be included in the CSP response. The hash only needs to be generated and registered once for static content such as the bootstrap script.

@pgayvallet
Copy link
Contributor Author

With the hashing approach, consumers can independently define hashes for the scripts that need to be inlined, and register those hashes with the HTTP server so that they can be included in the CSP response. The hash only needs to be generated and registered once for static content such as the bootstrap script

The bootstrap script is not static though, as it depends on values of uiSettings that can be changed by the end users, so this assertion is unfortunately wrong.

@jportner
Copy link
Contributor

jportner commented Mar 8, 2021

The bootstrap script is not static though, as it depends on values of uiSettings that can be changed by the end users, so this assertion is unfortunately wrong.

Ah, thanks for clarifying. Maybe a Kibana-wide nonce would be easier, then!

@pgayvallet pgayvallet mentioned this issue Mar 12, 2021
Closed
@pgayvallet pgayvallet mentioned this issue Jun 15, 2021
Merged
2 tasks
@exalate-issue-sync exalate-issue-sync bot added impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:small Small Level of Effort labels Aug 5, 2021
@jportner jportner added the Feature:Security/CSP Platform Security - Content Security Policy label Dec 3, 2021
@legrego legrego removed EnableJiraSync loe:small Small Level of Effort impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. labels Aug 18, 2022
@pgayvallet pgayvallet mentioned this issue Nov 15, 2022
Merged
5 tasks
@pgayvallet pgayvallet mentioned this issue Dec 12, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature:Security/CSP Platform Security - Content Security Policy Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pgayvallet @legrego @jportner @elasticmachine