I've added server.customResponseHeaders.Content-Security-Policy to kibana.kml to have the browser enforce some CSP restrictions. This ticket CSP unsafe-eval auditing · Issue #36311 · elastic/kibana · GitHub discusses the need for allowing inline scripts etc. Locked down CSP directives with kibana apparently won't be ready for a while.
So, I developed the following list of directives that work with kibana 7.6.0.
I see no CSP reports of CSP violations with these directives
server.customResponseHeaders.Content-Security-Policy: "frame-ancestors 'self'; default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://.elastic.co; worker-src 'self' blob:; connect-src 'self' https://.elastic.co ; report-uri bad-url"
I leave the report-uri directive in there so I can see reports in the browser console.
However, I'm still seeing the warning toast on every page including the login page
Your browser does not meet the security requirements for Kibana.
I also set csp.strict=false in kibana.yml but saw the same result. I'm using the latest Firefox and Chrome browsers. The only way I can get this warning to go away is to remove the CSP line from kibana.yml.
How can I enforce CSP but not see this warning?