Adds a new experimental Kibana setting called `csp.disableUnsafeEval` which will default to `false`. When set to `true`, it will remove `unsafe-eval` from our CSP.
Also introduces a new module called `@kbn/handlebars` which is a replacement for the official `handlebars` module used in the frontend. This new module is necessary in order to avoid calling `eval`/`new Function` from within `handlebars` which is not allowed once `unsafe-eval` is removed from our CSP.
The `@kbn/handlebars` module is simply an extension of the main `handlebars` module which adds a new compile function called `compileAST` (as an alternative to the regular `compile` function). This new function will not use code-generation from strings to compile the template but will instead generate an AST and return a render function with the same API as the function returned by the regular `compile` function.
This is a little bit slower method, but since this is only meant to be used client-side, the slowdown should not be an issue.
The following limitations exists when using `@kbn/handlebars`:
The Inline partials handlebars template feature is not supported.
Only the following compile options will be supported:
- `knownHelpers`
- `knownHelpersOnly`
- `strict`
- `assumeObjects`
- `noEscape`
- `data`
Only the following runtime options will be supported:
- `helpers`
- `blockParams`
- `data`
Closes#36311
* [csp] allow blob styles when running from source
* update kbn/pm dist
* add kibanaServer service to saml_api_integration suite
* use common naming
* attempt to use env.packageInfo instead of IS_KIBANA_DISTRIBUTABLE const
* remove mock, clone rules before modifying
* pass env where necessary
* update core api docs
* make env optional in HttpConfig
* add tests for CspConfig changes, base header on this.rules
* fix test snapshot
* make env optional in HttpConfig too
* remove CspConfig.DEFAULT and make env a required constructor arg
* update csp_usage_collector tests
* update core api docs
* fix test name
* rename headerChangedFromDefault back to rulesChangedFromDefault
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
This instructs mapbox-gl to load its workers using a static script. It removes the corresponding child-src CSP-rule from the policy. It retains the worker-src rule as it is required by the ace-editor in Dev-tools.
* Adding "style-src 'unsafe-inline' 'self'" to default CSP rules
* Updating jest snapshot
* Fixing api integration smoke test
* Verifying all CSP responses
* Fixing OIDC implicit flow test
* [@kbn/expect] "fork" expect.js into repo
* [eslint] autofix references to expect.js
* [tslint] autofix all expect.js imports
* now that expect.js is in strict mode, avoid reassigning fn.length
* csp: nonce and unsafe-eval for scripts
To kick things off, a rudimentary CSP implementation only allows
dynamically loading new JavaScript if it includes an associated nonce
that is generated on every load of the app.
A more sophisticated content security policy is necessary, particularly
one that bans eval for scripts, but one step at a time.
* img-src is not necessary if the goal is not to restrict
* configurable CSP owned by security team
* smoke test
* remove x-content-security-policy
* document csp.rules
* fix tsconfig for test
* switch integration test back to regular js
* stop looking for tsconfig in test
* grrr, linting errors not caught by precommit
* docs: people -> you for consistency sake
Co-Authored-By: epixa <court@epixa.com>
In order to make the license that applies to each file as clear as possible, and to be consistent with elasticsearch, we are adding Apache 2.0 license headers to the top of each file.
Existence of this header is enforced by eslint and tslint and missing headers were automatically added in the last commit by running:
```
node scripts/eslint --fix && node scripts/tslint --fix
```
