github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

[HTTP/CDN] Set connect-src to HTTPS only when CDN is configured (#179609)

Browse source 
## Summary

Close https://github.com/elastic/kibana/issues/179061
This commit is contained in:
Jean-Louis Leysens 2024-04-02 13:38:59 +02:00 committed by GitHub
parent d73a8f824d
commit 849f8fb1ac
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 16 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.github/CODEOWNERS vendored
View file

@ -1252,6 +1252,7 @@ x-pack/plugins/cloud_integrations/cloud_full_story/server/config.ts @elastic/kib
/x-pack/test/security_functional/ @elastic/kibana-security
/x-pack/test/spaces_api_integration/ @elastic/kibana-security
/x-pack/test/saved_object_api_integration/ @elastic/kibana-security
/packages/core/http/core-http-server-internal/src/cdn_config/ @elastic/kibana-security @elastic/kibana-core
#CC# /x-pack/plugins/security/ @elastic/kibana-security
# Response Ops team

2
packages/core/http/core-http-server-internal/src/cdn_config.test.ts → packages/core/http/core-http-server-internal/src/cdn_config/cdn_config.test.ts
View file

@ -41,7 +41,7 @@ describe('CdnConfig', () => {
it('generates the expected CSP additions', () => {
const cdnConfig = CdnConfig.from({ url: 'https://foo.bar:9999' });
expect(cdnConfig.getCspConfig()).toEqual({
connect_src: ['foo.bar:9999'],
connect_src: ['https:'],
font_src: ['foo.bar:9999'],
img_src: ['foo.bar:9999'],
script_src: ['foo.bar:9999'],

7
packages/core/http/core-http-server-internal/src/cdn_config.ts → packages/core/http/core-http-server-internal/src/cdn_config/cdn_config.ts
View file

@ -7,7 +7,7 @@
*/
import { URL, format } from 'node:url';
import type { CspAdditionalConfig } from './csp';
import type { CspAdditionalConfig } from '../csp';
export interface Input {
url?: string;
@ -34,13 +34,16 @@ export class CdnConfig {
public getCspConfig(): CspAdditionalConfig {
const host = this.host;
if (!host) return {};
// Since CDN is only used in specific envs we set `connect_src` to allow any
// but require https. This hardens security a bit, but allows apps like
// maps to still work as expected.
return {
connect_src: ['https:'],
font_src: [host],
img_src: [host],
script_src: [host],
style_src: [host],
worker_src: [host],
connect_src: [host],
};
}

9
packages/core/http/core-http-server-internal/src/cdn_config/index.ts Normal file
View file

@ -0,0 +1,9 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0 and the Server Side Public License, v 1; you may not use this file except
* in compliance with, at your election, the Elastic License 2.0 or the Server
* Side Public License, v 1.
*/
export { CdnConfig, type Input } from './cdn_config';