Permissions Policy Reporting

[elena-shostak]

Summary

1. Added top-level permissionsPolicy configuration setting.
2. Added support for report_to directive.
3. Added support for Permissions-Policy-Report-Only header to enable reporting mode.
4. The spec mentions featureId in the reporting body, however the field is policyId in Chromium.

How to test

• Add in your kibana.dev.yml.

server.customResponseHeaders.Reporting-Endpoints: violations-endpoint="https://localhost:5601/kibana/internal/security/analytics/_record_violations"
server.securityResponseHeaders.permissionsPolicy: 'microphone=()'
server.securityResponseHeaders.permissionsPolicyReportOnly: 'camera=()'
permissionsPolicy.report_to: [violations-endpoint]

• Make sure you have dev tools configured for Reporting API.
• In the browser console invoke navigator.mediaDevices.getUserMedia({ audio: true, video: true }).catch((e) => {});
• Open Dev Tools -> Application -> Reporting API.
  You should see 2 reports for permissions violation, one with report disposition and another with enforce disposition.

Checklist

• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list

For maintainers

• This was checked for breaking API changes and was labeled appropriately

Related Issue(s)

#175113, #184939

Release Note

Added support for Permissions Policy reporting.

[elena-shostak]

/ci

[elena-shostak]

/ci

[elena-shostak]

/ci

[elena-shostak]

/ci

[elena-shostak]

/ci

[elena-shostak]

/ci

[elena-shostak]

/ci

[elena-shostak]

/ci

[elena-shostak]

/ci

[elena-shostak]

Probably @azasypkin could use your advice here, the spec mentions featureId, however the report that is sent from Chrome (my version is 126.0.6478.127) has policyId, not featureId. Should we support both?

[elena-shostak]

Added support for both ✅

[elena-shostak]

@elasticmachine merge upstream

[elena-shostak]

/ci

[elena-shostak]

/ci

[kibana-ci]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 5d9ff915701efb7480d806c770ddab105596bbdb
• Cloud Deployment

Failed CI Steps

• FTR Configs #65

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
@kbn/core-http-server-internal	79	82	+3

Unknown metric groups

API count

id	before	after	diff
@kbn/core-http-server-internal	92	95	+3

History

• 💔 Build #218209 failed d9590276ebb168722e48bd04af6b342ca1c2bdd3
• 💛 Build #218180 was flaky 61bb5d45950a1615b829fdecea959adc01fdc8c1
• 💛 Build #217905 was flaky 40710144d3561e62fe25bda8513ef92ad512f977
• 💔 Build #217844 failed f63a745edcd844e30dff600869055a3b347c8367
• 💔 Build #217727 failed 82eb5ae91bec61d07539637c69711deb5c74deec

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[jbudz]

kibana-docker

[pgayvallet]

LGTM

[pgayvallet]

(thinking out loud, not directly related to this PR) I feel like this increasing accumulation of config segments we need to build the concrete http config is the sign of us forcing this artificial separation without good reasons. At some point we might want to regroup everything properly under the same server prefix (or, let's be crazy, a new http prefix) to break this.

[jeramysoucy]

LGTM! Just a question about the Permissions-Policy-Report-Only link in the settings documentation, as I didn't see this specific header mentioned.

[jeramysoucy]

I didn't find any documentation specifically on the Permissions-Policy-Report-Only header. Is the link incorrect, or is this not explicitly documented?

[elena-shostak]

Unfortunately, it is not explicitly documented on mdn. I can link it to the spec https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-report-only-http-header-field (but this is editor's draft)