CSP warning toast displays in latest browsers

I've added server.customResponseHeaders.Content-Security-Policy to kibana.kml to have the browser enforce some CSP restrictions. This ticket CSP unsafe-eval auditing · Issue #36311 · elastic/kibana · GitHub discusses the need for allowing inline scripts etc. Locked down CSP directives with kibana apparently won't be ready for a while.

So, I developed the following list of directives that work with kibana 7.6.0.
I see no CSP reports of CSP violations with these directives

server.customResponseHeaders.Content-Security-Policy: "frame-ancestors 'self'; default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://.elastic.co; worker-src 'self' blob:; connect-src 'self' https://.elastic.co ; report-uri bad-url"

I leave the report-uri directive in there so I can see reports in the browser console.

However, I'm still seeing the warning toast on every page including the login page

Your browser does not meet the security requirements for Kibana.

I also set csp.strict=false in kibana.yml but saw the same result. I'm using the latest Firefox and Chrome browsers. The only way I can get this warning to go away is to remove the CSP line from kibana.yml.
How can I enforce CSP but not see this warning?

try using csp.warnLegacyBrowsers: false

Yes, that worked.
Several issues:
First we're not using legacy browsers -- latest FF and chrome.
Second, the docs say that this flag is ignored if csp.strict is true, which is the default. But, I didn't need to turn csp.strict off to get this to work.

It seems like a bug in Kibana. The docs say that CSP checking was added a few versions ago which I think consists of trying to run an inline script to see if there's an error. Not sure how that works without sending a CSP header. Perhaps without a CSP header this test really does detect old browsers. But with new browsers the test goes sideways when a CSP header is also sent.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.