* Updating the Licenses, except for applying eslint, building
* Applying ESLint rules,building @kbn/pm, regenerating api docs
Co-authored-by: kobelb <brandon.kobel@elastic.co>
* [csp] allow blob styles when running from source
* update kbn/pm dist
* add kibanaServer service to saml_api_integration suite
* use common naming
* attempt to use env.packageInfo instead of IS_KIBANA_DISTRIBUTABLE const
* remove mock, clone rules before modifying
* pass env where necessary
* update core api docs
* make env optional in HttpConfig
* add tests for CspConfig changes, base header on this.rules
* fix test snapshot
* make env optional in HttpConfig too
* remove CspConfig.DEFAULT and make env a required constructor arg
* update csp_usage_collector tests
* update core api docs
* fix test name
* rename headerChangedFromDefault back to rulesChangedFromDefault
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
This instructs mapbox-gl to load its workers using a static script. It removes the corresponding child-src CSP-rule from the policy. It retains the worker-src rule as it is required by the ace-editor in Dev-tools.
* Adding "style-src 'unsafe-inline' 'self'" to default CSP rules
* Updating jest snapshot
* Fixing api integration smoke test
* Verifying all CSP responses
* Fixing OIDC implicit flow test
* [@kbn/expect] "fork" expect.js into repo
* [eslint] autofix references to expect.js
* [tslint] autofix all expect.js imports
* now that expect.js is in strict mode, avoid reassigning fn.length
* csp: nonce and unsafe-eval for scripts
To kick things off, a rudimentary CSP implementation only allows
dynamically loading new JavaScript if it includes an associated nonce
that is generated on every load of the app.
A more sophisticated content security policy is necessary, particularly
one that bans eval for scripts, but one step at a time.
* img-src is not necessary if the goal is not to restrict
* configurable CSP owned by security team
* smoke test
* remove x-content-security-policy
* document csp.rules
* fix tsconfig for test
* switch integration test back to regular js
* stop looking for tsconfig in test
* grrr, linting errors not caught by precommit
* docs: people -> you for consistency sake
Co-Authored-By: epixa <court@epixa.com>
