-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add nonce- to our CSP policy to allow inlining bootstrap.js
inside the application document
#93785
Comments
Pinging @elastic/kibana-core (Team:Core) |
Pinging @elastic/apm-ui (Team:apm) |
Pinging @elastic/kibana-security (Team:Security) |
Is there any reason we couldn't use a hash of the script instead of generating a new nonce with each request? Seems that it will accomplish what we want and it will be easier to implement. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src |
I'm not opposed to exploring the hash approach if that's viable. My one reservation is that it won't scale very well: while I don't expect to have a ton of these, there are at least 2 JavaScript assets within the security plugin that could benefit from the |
AFAIK not really, we could definitely use a hash-based nonce for the specific Note that I'm not sure this is really better, as we would have to expose an API inside core to allow addition of such Also, as @legrego said, this seems way less generic and re-usable (even if I'm not well aware of what exactly the security plugin would like to leverage the inline scripts for) |
I was suggesting using a hash instead of a nonce, not a hash-based nonce. As described in the linked MDN page:
If you use a nonce, the HTTP server has to calculate a new nonce for every single request and expose that for consumers (in this case the With the hashing approach, consumers can independently define hashes for the scripts that need to be inlined, and register those hashes with the HTTP server so that they can be included in the CSP response. The hash only needs to be generated and registered once for static content such as the bootstrap script. |
The bootstrap script is not static though, as it depends on values of uiSettings that can be changed by the end users, so this assertion is unfortunately wrong. |
Ah, thanks for clarifying. Maybe a Kibana-wide nonce would be easier, then! |
In #92784, we migrated the
/bootstrap.js
endpoint from legacy to core.The
/bootstrap.js
endpoint is now an unnecessary request, as we are technically able to inline this script in the application's document generated by therendering
service. However, our CSP policy currently forbid that, as we are legitimately disablingunsafe-inline
by default.Ideally, we would generate a
nonce-
id for each application request, and use it in therendering
service to add thenonce
attribute to scripts we need to inline.The text was updated successfully, but these errors were encountered: