Add default-src 'none' to our report-only CSP (#243545)

## Summary

Adds `default-src 'none'` to our report-only content security policy.

In support of this, the report-only policy was updated to account for
all expected `*-src` directives, so that we do not receive false
positive reports.

Relates: #56996

**Important:** This does not change any of the enforced CSP directives.
This only adjusts the "Report" directive, which does not perform any
enforcement.

---------

Co-authored-by: kibanamachine <[email protected]>

Author: legrego

src/core/packages/http/server-internal/src/csp/csp_config.test.ts

@@ -37,7 +37,7 @@ describe('CspConfig', () => {
         "disableEmbedding": false,
         "disableUnsafeEval": true,
         "header": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'report-sample' 'none'",
-        "reportOnlyHeader": "form-action 'report-sample' 'self'",
+        "reportOnlyHeader": "form-action 'report-sample' 'self'; default-src 'report-sample' 'none'; font-src 'report-sample' 'self'; img-src 'report-sample' 'self' data:; connect-src 'report-sample' 'self' telemetry.elastic.co telemetry-staging.elastic.co; script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'report-sample' 'none'",
         "strict": true,
         "warnLegacyBrowsers": true,
       }

src/core/packages/http/server-internal/src/csp/csp_directives.test.ts

@@ -51,6 +51,19 @@ describe('CspDirectives', () => {
       );
     });
 
+    it('augments report-only directives when testing default-src none', () => {
+      const config = cspConfig.schema.validate({
+        img_src: ['img-src-value'],
+      });
+      const directives = CspDirectives.fromConfig(config);
+      expect(directives.getCspHeadersByDisposition()).toMatchInlineSnapshot(`
+        Object {
+          "enforceHeader": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'report-sample' 'none'; img-src 'self' img-src-value",
+          "reportOnlyHeader": "form-action 'report-sample' 'self'; default-src 'report-sample' 'none'; font-src 'report-sample' 'self'; img-src 'report-sample' 'self' data: img-src-value; connect-src 'report-sample' 'self' telemetry.elastic.co telemetry-staging.elastic.co; script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'report-sample' 'none'",
+        }
+      `);
+    });
+
     it('automatically adds single quotes for keywords', () => {
       const directives = new CspDirectives();
       directives.addDirectiveValue('script-src', 'none');

src/core/packages/http/server-internal/src/csp/csp_directives.ts

@@ -23,13 +23,33 @@ export type CspDirectiveName =
   | 'report-uri'
   | 'report-to'
   | 'form-action'
-  | 'object-src';
+  | 'object-src'
+  | 'child-src'
+  | 'manifest-src'
+  | 'media-src'
+  | 'object-src'
+  | 'prefetch-src'
+  | 'script-src-elem'
+  | 'script-src-attr'
+  | 'style-src-elem'
+  | 'style-src-attr';
 
 /**
  * The default report only directives rules
  */
 export const defaultReportOnlyRules: Partial<Record<CspDirectiveName, string[]>> = {
   'form-action': [`'report-sample'`, `'self'`],
+  'default-src': [`'report-sample'`, `'none'`],
+  'font-src': [`'report-sample'`, `'self'`],
+  'img-src': [`'report-sample'`, `'self'`, 'data:'],
+  'connect-src': [
+    `'report-sample'`,
+    `'self'`,
+    // TODO: Ideally, Core would not know about these endpoints, as they are governed by the Telemetry plugin.
+    // This can be improved once https://github.com/elastic/kibana/issues/181812 is implemented.
+    'telemetry.elastic.co',
+    'telemetry-staging.elastic.co',
+  ],
 };
 
 /**
@@ -55,6 +75,29 @@ export const additionalRules: Partial<Record<CspDirectiveName, string[]>> = {
   'frame-src': [`'self'`],
 };
 
+/**
+ * Child directives that should inherit from `default-src` if not explicitly set.
+ * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/default-src
+ */
+export const defaultSrcChildDirectives: CspDirectiveName[] = [
+  'child-src',
+  'connect-src',
+  'font-src',
+  'frame-src',
+  'img-src',
+  'manifest-src',
+  'media-src',
+  'object-src',
+  'prefetch-src',
+  'script-src',
+  'script-src-elem',
+  'script-src-attr',
+  'style-src',
+  'style-src-elem',
+  'style-src-attr',
+  'worker-src',
+];
+
 interface CspConfigDirectives {
   enforceDirectives: Map<CspDirectiveName, string[]>;
   reportOnlyDirectives: Map<CspDirectiveName, string[]>;
@@ -80,6 +123,14 @@ export class CspDirectives {
       directive.delete(`'none'`);
     }
     directive.add(normalizedDirectiveValue);
+
+    // If we are testing default-src 'none', then we need to add all expected child directives to the report-only policy
+    // to prevent reports from being generated for those child directives.
+    const enforcingDefaultSrcChildDirective =
+      enforce && defaultSrcChildDirectives.includes(directiveName);
+    if (this.isTestingDefaultSrc() && enforcingDefaultSrcChildDirective) {
+      this.addDirectiveValue(directiveName, directiveValue, false);
+    }
   }
 
   clearDirectiveValues(directiveName: CspDirectiveName) {
@@ -106,6 +157,17 @@ export class CspDirectives {
       .join('; ');
   }
 
+  /**
+   * Determines if we are currently testing the default-src 'none' configuration.
+   * @returns True if we are testing default-src 'none', false otherwise.
+   */
+  private isTestingDefaultSrc(): boolean {
+    return this.reportOnlyDirectives.has('default-src') &&
+      this.reportOnlyDirectives.get('default-src')?.has(`'none'`)
+      ? true
+      : false;
+  }
+
   static fromConfig(
     firstConfig: CspConfigType,
     ...otherConfigs: Array<Partial<CspConfigType>>
@@ -116,17 +178,19 @@ export class CspDirectives {
     );
     const cspDirectives = new CspDirectives();
 
-    // combining `default` directive configurations
-    Object.entries(defaultRules).forEach(([key, values]) => {
+    // combining `default` report only directive configurations
+    // it's important to add these before the enforced directives below so that we can handle report-only updates
+    // in response to enforced directives (e.g., default-src 'none' testing)
+    Object.entries(defaultReportOnlyRules).forEach(([key, values]) => {
       values?.forEach((value) => {
-        cspDirectives.addDirectiveValue(key as CspDirectiveName, value);
+        cspDirectives.addDirectiveValue(key as CspDirectiveName, value, false);
       });
     });
 
-    // combining `default` report only directive configurations
-    Object.entries(defaultReportOnlyRules).forEach(([key, values]) => {
+    // combining `default` directive configurations
+    Object.entries(defaultRules).forEach(([key, values]) => {
       values?.forEach((value) => {
-        cspDirectives.addDirectiveValue(key as CspDirectiveName, value, false);
+        cspDirectives.addDirectiveValue(key as CspDirectiveName, value);
       });
     });
 

src/core/server/integration_tests/http/lifecycle.test.ts

@@ -1666,7 +1666,7 @@ describe('runs with default preResponse handlers', () => {
       `script-src 'report-sample' 'self' 'unsafe-eval'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'report-sample' 'none'`
     );
     expect(response.header['content-security-policy-report-only']).toBe(
-      `form-action 'report-sample' 'self'`
+      `form-action 'report-sample' 'self'; default-src 'report-sample' 'none'; font-src 'report-sample' 'self'; img-src 'report-sample' 'self' data:; connect-src 'report-sample' 'self' telemetry.elastic.co telemetry-staging.elastic.co; script-src 'report-sample' 'self' 'unsafe-eval'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'report-sample' 'none'`
     );
   });
 });