Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding a CSP feature to Kibana 7.6.2 Login is failed #76630

Closed
gnana03 opened this issue Sep 3, 2020 · 4 comments
Closed

Adding a CSP feature to Kibana 7.6.2 Login is failed #76630

gnana03 opened this issue Sep 3, 2020 · 4 comments
Labels
Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@gnana03
Copy link

gnana03 commented Sep 3, 2020

Kibana version: 7.6.2

Server OS version: Ubuntu 18.04

Browser version: Chrome

Browser OS version: 84.04

Original install method (e.g. download page, yum, from source, etc.): Helm Charts

Description of the problem including expected versus actual behavior:

Steps to reproduce:

  1. Included below annotation for kibana security headers
    nginx.ingress.kubernetes.io/configuration-snippet: |
    more_set_headers "X-Content-Type-Options: 'nosniff'";
    more_set_headers "X-Frame-Options: SAMEORIGIN";
    more_set_headers "Content-Security-Policy: script-src 'self'";
    more_set_headers "X-XSS-Protection: 1; mode=block";
  2. Login into Kibana after deploying the change

Errors in browser console (if relevant):
Definition of plugin "data" should be a function (/bundles/plugin/data.bundle.js).
Version: 7.6.2
Build: 29199
Error: Definition of plugin "data" should be a function (/bundles/plugin/data.bundle.js).
at HTMLScriptElement.script.onload
Provide logs and/or server output (if relevant):

Describe the feature:
By adding a CSP feature to Kibana 7.6.2 Login is failed showing below attached error.

Definition of plugin "data" should be a function (/bundles/plugin/data.bundle.js).
Version: 7.6.2
Build: 29199
Error: Definition of plugin "data" should be a function (/bundles/plugin/data.bundle.js).
at HTMLScriptElement.script.onload
@lukeelmers lukeelmers added Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! triage_needed labels Sep 4, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-platform (Team:Platform)

@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@jportner
Copy link
Contributor

jportner commented Sep 4, 2020

This is not a bug. Kibana ships with this Content-Security-Policy by default: script-src 'unsafe-eval' 'self'; worker-src blob:; child-src blob:; style-src 'unsafe-inline' 'self'

You are using a reverse proxy to override this response header with a stricter policy, but Kibana needs this minimal set of directives to operate.

script-src 'unsafe-eval' in particular is undesirable, but it is currently required due to third party dependencies, which includes (but is not limited to) Angular.

You can keep an eye on these issues that are currently open to enhance Kibana's default CSP:

@jportner jportner closed this as completed Sep 4, 2020
@gnana03
Copy link
Author

gnana03 commented Sep 7, 2020

Thanks @jportner for detailed explanation!

@azhavoro azhavoro mentioned this issue Oct 14, 2020
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lukeelmers @jportner @elasticmachine @gnana03