github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

[csp] reject legacy browsers by default (#41700)

Browse source 
* [csp] reject legacy browsers by default

The csp.strict config is now enabled by default, so legacy browsers like
IE11 will not be able to access Kibana unless the deployment has
explicitly enabled it.

* docs: csp.strict breaking change
This commit is contained in:
Court Ewing 2019-07-24 09:16:52 -04:00 committed by GitHub
parent d8e9d2a7ca
commit 9950b39cf9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 9 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
docs/migration/migrate_8_0.asciidoc
View file

@ -36,6 +36,12 @@ for example, `logstash-*`.
=== Settings changes
// tag::notable-breaking-changes[]
[float]
==== Legacy browsers are now rejected by default
*Details:* `csp.strict` is now enabled by default, so Kibana will fail to load for older, legacy browsers that do not enforce basic Content Security Policy protections - notably Internet Explorer 11.
*Impact:* To allow Kibana to function for these legacy browsers, set `csp.strict: false`. Since this is about enforcing a security protocol, we *strongly discourage* disabling `csp.strict` unless it is critical that you support Internet Explorer 11.
[float]
==== Default logging timezone is now the system's timezone
*Details:* In prior releases the timezone used in logs defaulted to UTC. We now use the host machine's timezone by default.

2
docs/setup/settings.asciidoc
View file

@ -32,7 +32,7 @@ instances of `{nonce}` will be replaced with an automatically generated nonce
at load time. We strongly recommend that you keep the default CSP rules that
ship with Kibana.
`csp.strict:`:: *Default: `false`* Blocks access to Kibana to any browser that
`csp.strict:`:: *Default: `true`* Blocks access to Kibana to any browser that
does not enforce even rudimentary CSP rules. In practice, this will disable
support for older, less safe browsers like Internet Explorer.

2
src/legacy/server/csp/index.test.ts
View file

@ -48,7 +48,7 @@ Array [
});
test('CSP strict mode defaults to disabled', () => {
expect(DEFAULT_CSP_STRICT).toBe(false);
expect(DEFAULT_CSP_STRICT).toBe(true);
});
test('CSP legacy browser warning defaults to enabled', () => {

2
src/legacy/server/csp/index.ts
View file

@ -28,7 +28,7 @@ export const DEFAULT_CSP_RULES = Object.freeze([
'child-src blob:',
]);
export const DEFAULT_CSP_STRICT = false;
export const DEFAULT_CSP_STRICT = true;
export const DEFAULT_CSP_WARN_LEGACY_BROWSERS = true;