[CSP] Added object-src to Content-Security-Policy-Report-Only header (#209306)

## Summary Added support for `object_src` directive in reporting mode. ## How to test - Add in your `kibana.dev.yml`. ``` server.customResponseHeaders.Reporting-Endpoints: violations-endpoint="https://localhost:5601/kibana/internal/security/analytics/_record_violations" csp.report_to: [violations-endpoint] ``` - Make sure you have [dev tools configured for Reporting API](https://developer.chrome.com/docs/capabilities/web-apis/reporting-api#use_devtools). - Add `<embed src="https://not-example.com/flash"/>` anywhere in the page body in `src/platform/plugins/shared/home/public/application/components/home.tsx` and go to Home page - Open Dev Tools -> Console You should be able to see the violation <img width="1023" alt="Screenshot 2025-02-03 at 14 30 03" src="https://github.com/user-attachments/assets/b2e5f957-4403-4b2b-a3dd-c0109fff6306" /> > [!NOTE] > Hopefully, you should be able to see the violation in the Dev Tools -> Application -> Reporting, but it's sometimes hard to catch. My recent Chrome `132.0.6834.160` shows only CSP reports with disposition `enforce`, not `report`. ### Checklist - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ### Release Notes Added `object_src` directive to `Content-Security-Policy-Report-Only` header. __Closes: https://github.com/elastic/kibana/issues/208590__ --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
2025-04-24 01:38:56 -04:00 · 2025-02-05 15:18:06 +01:00 · 2025-02-05 15:18:06 +01:00 · 8a26cf6f94
commit 8a26cf6f94
parent 3c4694e1dd
5 changed files with 14 additions and 3 deletions
--- a/src/core/packages/http/server-internal/src/csp/config.ts
+++ b/src/core/packages/http/server-internal/src/csp/config.ts
@ -90,6 +90,10 @@ const configSchema = schema.object(
          defaultValue: [],
          validate: getDirectiveValidator({ allowNone: false, allowNonce: false }),
        }),
+        object_src: schema.arrayOf(schema.string(), {
+          defaultValue: [],
+          validate: getDirectiveValidator({ allowNone: true, allowNonce: false }),
+        }),
      })
    ),
    strict: schema.boolean({ defaultValue: true }),
--- a/src/core/packages/http/server-internal/src/csp/csp_config.test.ts
+++ b/src/core/packages/http/server-internal/src/csp/csp_config.test.ts
@ -36,7 +36,7 @@ describe('CspConfig', () => {
        "disableEmbedding": false,
        "disableUnsafeEval": true,
        "header": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'",
-        "reportOnlyHeader": "form-action 'report-sample' 'self'",
+        "reportOnlyHeader": "form-action 'report-sample' 'self'; object-src 'report-sample' 'none'",
        "strict": true,
        "warnLegacyBrowsers": true,
      }
--- a/src/core/packages/http/server-internal/src/csp/csp_directives.ts
+++ b/src/core/packages/http/server-internal/src/csp/csp_directives.ts
@ -22,13 +22,15 @@ export type CspDirectiveName =
  | 'img-src'
  | 'report-uri'
  | 'report-to'
-  | 'form-action';
+  | 'form-action'
+  | 'object-src';

 /**
 * The default report only directives rules
 */
 export const defaultReportOnlyRules: Partial<Record<CspDirectiveName, string[]>> = {
  'form-action': [`'report-sample'`, `'self'`],
+  'object-src': [`'report-sample'`, `'none'`],
 };

 /**
@ -189,6 +191,10 @@ const parseConfigDirectives = (cspConfig: CspConfigType): CspConfigDirectives =>
    reportOnlyDirectives.set('form-action', cspConfig.report_only?.form_action);
  }

+  if (cspConfig.report_only?.object_src?.length) {
+    reportOnlyDirectives.set('object-src', cspConfig.report_only?.object_src);
+  }
+
  return {
    enforceDirectives,
    reportOnlyDirectives,
--- a/src/core/server/integration_tests/http/lifecycle.test.ts
+++ b/src/core/server/integration_tests/http/lifecycle.test.ts
@ -1503,7 +1503,7 @@ describe('runs with default preResponse handlers', () => {
      `script-src 'report-sample' 'self' 'unsafe-eval'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'`
    );
    expect(response.header['content-security-policy-report-only']).toBe(
-      `form-action 'report-sample' 'self'`
+      `form-action 'report-sample' 'self'; object-src 'report-sample' 'none'`
    );
  });
 });
--- a/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker
+++ b/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker
@ -40,6 +40,7 @@ kibana_vars=(
    csp.report_uri
    csp.report_to
    csp.report_only.form_action
+    csp.report_only.object_src
    permissionsPolicy.report_to
    data.autocomplete.valueSuggestions.terminateAfter
    data.autocomplete.valueSuggestions.timeout