Skip to content

Commit

Permalink
add contents
Browse files Browse the repository at this point in the history
Signed-off-by: Tianle Huang <[email protected]>
  • Loading branch information
tianleh committed Mar 14, 2024
1 parent 149ad23 commit fe75470
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 8 deletions.
8 changes: 0 additions & 8 deletions _dashboards/csp-configuration.md

This file was deleted.

44 changes: 44 additions & 0 deletions _dashboards/csp/csp-dynamic-configuration.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
---
layout: default
title: Content Security Policy (CSP) Rules Dynamic Configuration
nav_order: 110
has_children: false
---

# Content Security Policy Rules Dynamic Configuration

Check failure on line 8 in _dashboards/csp/csp-dynamic-configuration.md

View workflow job for this annotation

GitHub Actions / style-job

[vale] reported by reviewdog 🐶 [OpenSearch.HeadingCapitalization] 'Content Security Policy Rules Dynamic Configuration' is a heading and should be in sentence case. Raw Output: {"message": "[OpenSearch.HeadingCapitalization] 'Content Security Policy Rules Dynamic Configuration' is a heading and should be in sentence case.", "location": {"path": "_dashboards/csp/csp-dynamic-configuration.md", "range": {"start": {"line": 8, "column": 3}}}, "severity": "ERROR"}

Content Security Policy (CSP) is a security standard introduced to help prevent cross-site scripting (XSS), clickjacking, and other code injection attacks resulting from the execution of malicious content in the trusted web page context. OpenSearch Dashboards supports configuring CSP rules in OSD YML file with key `csp.rules`. A change in YML file requires a server restart which may interrupt service availability. This document introduces a dynamic way to configure the CSP rules through the plugin `applicationConfig` without restarting the server.

Check failure on line 10 in _dashboards/csp/csp-dynamic-configuration.md

View workflow job for this annotation

GitHub Actions / style-job

[vale] reported by reviewdog 🐶 [OpenSearch.Spelling] Error: clickjacking. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks. Raw Output: {"message": "[OpenSearch.Spelling] Error: clickjacking. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.", "location": {"path": "_dashboards/csp/csp-dynamic-configuration.md", "range": {"start": {"line": 10, "column": 109}}}, "severity": "ERROR"}

Check failure on line 10 in _dashboards/csp/csp-dynamic-configuration.md

View workflow job for this annotation

GitHub Actions / style-job

[vale] reported by reviewdog 🐶 [OpenSearch.SubstitutionsError] Use 'webpage' instead of 'web page'. Raw Output: {"message": "[OpenSearch.SubstitutionsError] Use 'webpage' instead of 'web page'.", "location": {"path": "_dashboards/csp/csp-dynamic-configuration.md", "range": {"start": {"line": 10, "column": 221}}}, "severity": "ERROR"}

## Configuration

The plugin `applicationConfig` provides read and write APIs for OSD customers to manage their dynamic configurations as key value pairs in an index. Another plugin `cspHandler` registers a pre-response handler to `HttpServiceSetup` which can get CSP rules from the dependent plugin `applicationConfig` and then rewrite to CSP header. Customers who want to use this feature need to enable both plugins in OSD YML as follows.

```
application_config.enabled: true
csp_handler.enabled: true
```

For OSD users who want to make changes to allow a new site to embed OSD pages, they can update CSP rules through CURL. (See the README of `applicationConfig` for more details about the APIs.) **Please note that use backslash as string wrapper for single quotes inside the `data-raw` parameter. E.g use `'\''` to represent `'`**

Check warning on line 22 in _dashboards/csp/csp-dynamic-configuration.md

View workflow job for this annotation

GitHub Actions / style-job

[vale] reported by reviewdog 🐶 [OpenSearch.Please] Using 'Please' is unnecessary. Remove. Raw Output: {"message": "[OpenSearch.Please] Using 'Please' is unnecessary. Remove.", "location": {"path": "_dashboards/csp/csp-dynamic-configuration.md", "range": {"start": {"line": 22, "column": 195}}}, "severity": "WARNING"}
s
```
curl '{osd endpoint}/api/appconfig/csp.rules' -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' -H 'osd-xsrf: osd-fetch' -H 'Sec-Fetch-Dest: empty' --data-raw '{"newValue":"script-src '\''unsafe-eval'\'' '\''self'\''; worker-src blob: '\''self'\''; style-src '\''unsafe-inline'\'' '\''self'\''; frame-ancestors '\''self'\'' {new site}"}'
```

Below is the CURL command to delete CSP rules.

Check warning on line 29 in _dashboards/csp/csp-dynamic-configuration.md

View workflow job for this annotation

GitHub Actions / style-job

[vale] reported by reviewdog 🐶 [OpenSearch.DirectionAboveBelow] Use 'following or later' instead of 'Below' for versions or orientation within a document. Use 'above' and 'below' only for physical space or screen descriptions. Raw Output: {"message": "[OpenSearch.DirectionAboveBelow] Use 'following or later' instead of 'Below' for versions or orientation within a document. Use 'above' and 'below' only for physical space or screen descriptions.", "location": {"path": "_dashboards/csp/csp-dynamic-configuration.md", "range": {"start": {"line": 29, "column": 1}}}, "severity": "WARNING"}

```
curl '{osd endpoint}/api/appconfig/csp.rules' -X DELETE -H 'osd-xsrf: osd-fetch' -H 'Sec-Fetch-Dest: empty'
```

Below is the CURL command to get the CSP rules.

Check warning on line 35 in _dashboards/csp/csp-dynamic-configuration.md

View workflow job for this annotation

GitHub Actions / style-job

[vale] reported by reviewdog 🐶 [OpenSearch.DirectionAboveBelow] Use 'following or later' instead of 'Below' for versions or orientation within a document. Use 'above' and 'below' only for physical space or screen descriptions. Raw Output: {"message": "[OpenSearch.DirectionAboveBelow] Use 'following or later' instead of 'Below' for versions or orientation within a document. Use 'above' and 'below' only for physical space or screen descriptions.", "location": {"path": "_dashboards/csp/csp-dynamic-configuration.md", "range": {"start": {"line": 35, "column": 1}}}, "severity": "WARNING"}

```
curl '{osd endpoint}/api/appconfig/csp.rules'
```

## Precedence

In general, the dynamic configurations will take precedence over the configurations in YML. Specifically, when there is non empty CSP rules configured in the index, the rules from the YML will be used. To prevent clickjacking, we will append the `frame-ancestors` directive with value `'self'` if the rules from YML will be used and do not already have the directive `frame-ancestors`.

Check failure on line 44 in _dashboards/csp/csp-dynamic-configuration.md

View workflow job for this annotation

GitHub Actions / style-job

[vale] reported by reviewdog 🐶 [OpenSearch.Spelling] Error: clickjacking. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks. Raw Output: {"message": "[OpenSearch.Spelling] Error: clickjacking. If you are referencing a setting, variable, format, function, or repository, surround it with tic marks.", "location": {"path": "_dashboards/csp/csp-dynamic-configuration.md", "range": {"start": {"line": 44, "column": 214}}}, "severity": "ERROR"}

0 comments on commit fe75470

Please sign in to comment.