Enforce object_src in our CSP (#241029)

## Summary

This transitions our `object_src 'report-sample' 'none'` CSP directive
from the `Content-Security-Policy-Report-Only` header to the
`Content-Security-Policy` header, thereby enforcing the directive.

- We also have to allow administrators to configure `object_src` to suit
their needs. Therefore, this PR introduces a new `csp.object_src`
configuration property, which allows admins to specify a different
`object_src` than the one we ship with.

- This deprecates the `csp.report_only.object_src` configuration
setting, as we are no longer reporting `object_src` directives in a
"report only" fashion.

- This adds a config deprecation for `csp.disableUnsafeEval`, which was
documented as deprecated as of `8.7.0`.

Resolves #241024

## Release Notes

Enforces the `object_src 'none'` directive in Kibana's Content Security
Policy. Introduces a new `csp.object_src` configuration option to
control its behavior.

---------

Co-authored-by: florent-leborgne <[email protected]>

Author: legrego

docs/reference/cloud/elastic-cloud-kibana-settings.md

@@ -419,6 +419,9 @@ This setting is not available in versions 8.0.0 through 8.2.0. As such, this set
 `csp.img_src`
 :   Add sources for the [Content Security Policy `img-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src).
 
+`csp.object_src` {applies_to}`stack: ga 9.3`
+:   Add sources for the [Content Security Policy `object-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src).
+
 `csp.report_uri`
 :   Add sources for the [Content Security Policy `report-uri` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri).
 

docs/reference/configuration-reference/general-settings.md

@@ -45,6 +45,9 @@ If a setting is applicable to {{ech}} environments, its name is followed by this
 `csp.img_src`
 :   Add sources for the [Content Security Policy `img-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src).
 
+`csp.object_src` {applies_to}`stack: ga 9.3`
+:   Add sources for the [Content Security Policy `object-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src).
+
 `csp.frame_ancestors`
 :   Add sources for the [Content Security Policy `frame-ancestors` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors).
 
@@ -59,6 +62,11 @@ If a setting is applicable to {{ech}} environments, its name is followed by this
 `csp.report_only.object_src`
 :   Add sources for the [Content Security Policy `object-src` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/object-src) in reporting mode.
 
+    :::{note}
+    :applies_to: stack: deprecated 9.3
+    This setting is deprecated in favor of `csp.object_src`.
+    :::
+
 `csp.report_uri`
 :   Add sources for the [Content Security Policy `report-uri` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri).
 

src/core/packages/http/server-internal/src/csp/config.test.ts

@@ -7,8 +7,40 @@
  * License v3.0 only", or the "Server Side Public License, v 1".
  */
 
+import { cloneDeep } from 'lodash';
+import { applyDeprecations, configDeprecationFactory } from '@kbn/config';
 import { cspConfig } from './config';
 
+const deprecationContext = {
+  branch: 'main',
+  version: '9.0.0',
+  docLinks: {} as any,
+};
+
+const applyConfigDeprecations = (settings: Record<string, any> = {}) => {
+  const deprecations = cspConfig.deprecations!(configDeprecationFactory);
+  const deprecationMessages: string[] = [];
+  const configPaths: string[] = [];
+  const { config: migrated } = applyDeprecations(
+    settings,
+    deprecations.map((deprecation) => ({
+      deprecation,
+      path: cspConfig.path,
+      context: deprecationContext,
+    })),
+    () =>
+      ({ message, configPath }) => {
+        deprecationMessages.push(message);
+        configPaths.push(configPath);
+      }
+  );
+  return {
+    configPaths,
+    messages: deprecationMessages,
+    migrated,
+  };
+};
+
 describe('config.validate()', () => {
   it(`does not allow "disableEmbedding" to be set to true`, () => {
     // This is intentionally not editable in the raw CSP config.
@@ -320,6 +352,36 @@ describe('config.validate()', () => {
     });
   });
 
+  describe(`"object_src"`, () => {
+    it('throws if using an `nonce-*` value', () => {
+      expect(() =>
+        cspConfig.schema.validate({
+          object_src: [`hello`, `nonce-foo`],
+        })
+      ).toThrowErrorMatchingInlineSnapshot(
+        `"[object_src]: using \\"nonce-*\\" is considered insecure and is not allowed"`
+      );
+    });
+
+    it("throws if using `none` or `'none'`", () => {
+      expect(() =>
+        cspConfig.schema.validate({
+          object_src: [`hello`, `none`],
+        })
+      ).toThrowErrorMatchingInlineSnapshot(
+        `"[object_src]: using \\"none\\" would conflict with Kibana's default csp configuration and is not allowed"`
+      );
+
+      expect(() =>
+        cspConfig.schema.validate({
+          object_src: [`hello`, `'none'`],
+        })
+      ).toThrowErrorMatchingInlineSnapshot(
+        `"[object_src]: using \\"none\\" would conflict with Kibana's default csp configuration and is not allowed"`
+      );
+    });
+  });
+
   describe(`"frame_ancestors"`, () => {
     it('throws if using an `nonce-*` value', () => {
       expect(() =>
@@ -350,3 +412,40 @@ describe('config.validate()', () => {
     });
   });
 });
+
+describe('config deprecations', () => {
+  it('does not report deprecations for default configuration', () => {
+    const defaultConfig = { csp: {} };
+    const { messages, migrated } = applyConfigDeprecations(cloneDeep(defaultConfig));
+    expect(migrated).toEqual(defaultConfig);
+    expect(messages).toHaveLength(0);
+  });
+
+  it('warns when configuring csp.disableUnsafeEval', () => {
+    const userConfig = {
+      csp: {
+        disableUnsafeEval: false,
+      },
+    };
+    const { messages, configPaths, migrated } = applyConfigDeprecations(cloneDeep(userConfig));
+    expect(migrated).toEqual(userConfig);
+    expect(configPaths).toEqual(['csp.disableUnsafeEval']);
+    expect(messages).toEqual([
+      '`csp.disableUnsafeEval` has been replaced by the `csp.script_src` setting.',
+    ]);
+  });
+
+  it('warns when configuring the unused csp.report_only.object_src', () => {
+    const userConfig = {
+      csp: {
+        report_only: {
+          object_src: "'self'",
+        },
+      },
+    };
+    const { messages, configPaths, migrated } = applyConfigDeprecations(cloneDeep(userConfig));
+    expect(migrated).toEqual({}); // the setting should be removed from config
+    expect(configPaths).toEqual(['csp.report_only.object_src']);
+    expect(messages).toEqual(['You no longer need to configure "csp.report_only.object_src".']);
+  });
+});

src/core/packages/http/server-internal/src/csp/config.ts

@@ -74,6 +74,10 @@ const configSchema = schema.object(
       defaultValue: [],
       validate: getDirectiveValidator({ allowNone: false, allowNonce: false }),
     }),
+    object_src: schema.arrayOf(schema.string(), {
+      defaultValue: [],
+      validate: getDirectiveValidator({ allowNone: false, allowNonce: false }),
+    }),
     frame_ancestors: schema.arrayOf(schema.string(), {
       defaultValue: [],
       validate: getDirectiveValidator({ allowNone: false, allowNonce: false }),
@@ -142,4 +146,17 @@ export const cspConfig: ServiceConfigDescriptor<CspConfigType> = {
   // ? https://github.com/elastic/kibana/pull/52251
   path: 'csp',
   schema: configSchema,
+  deprecations: ({ unusedFromRoot, deprecateFromRoot }) => [
+    unusedFromRoot('csp.report_only.object_src', { level: 'warning' }),
+    deprecateFromRoot('csp.disableUnsafeEval', '10.0.0', {
+      level: 'warning',
+      message: '`csp.disableUnsafeEval` has been replaced by the `csp.script_src` setting.',
+      correctiveActions: {
+        manualSteps: [
+          'Remove the `csp.disableUnsafeEval` setting from your kibana configuration file.',
+          "Use `csp.script_src: ['unsafe-eval']` instead if you wish to enable `unsafe-eval`.",
+        ],
+      },
+    }),
+  ],
 };

src/core/packages/http/server-internal/src/csp/csp_config.test.ts

@@ -36,8 +36,8 @@ describe('CspConfig', () => {
       CspConfig {
         "disableEmbedding": false,
         "disableUnsafeEval": true,
-        "header": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'",
-        "reportOnlyHeader": "form-action 'report-sample' 'self'; object-src 'report-sample' 'none'",
+        "header": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'report-sample' 'none'",
+        "reportOnlyHeader": "form-action 'report-sample' 'self'",
         "strict": true,
         "warnLegacyBrowsers": true,
       }
@@ -68,7 +68,7 @@ describe('CspConfig', () => {
         worker_src: ['foo', 'bar'],
       });
       expect(config.header).toEqual(
-        `script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob: foo bar; style-src 'report-sample' 'self' 'unsafe-inline'`
+        `script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob: foo bar; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'report-sample' 'none'`
       );
     });
 
@@ -79,7 +79,7 @@ describe('CspConfig', () => {
       });
 
       expect(config.header).toEqual(
-        `script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline' foo bar`
+        `script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline' foo bar; object-src 'report-sample' 'none'`
       );
     });
 
@@ -90,7 +90,7 @@ describe('CspConfig', () => {
       });
 
       expect(config.header).toEqual(
-        `script-src 'report-sample' 'self' foo bar; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'`
+        `script-src 'report-sample' 'self' foo bar; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'report-sample' 'none'`
       );
     });
 
@@ -100,9 +100,10 @@ describe('CspConfig', () => {
         script_src: ['script', 'foo'],
         worker_src: ['worker', 'bar'],
         style_src: ['style', 'dolly'],
+        object_src: ['object', 'obj'],
       });
       expect(config.header).toEqual(
-        `script-src 'report-sample' 'self' script foo; worker-src 'report-sample' 'self' blob: worker bar; style-src 'report-sample' 'self' 'unsafe-inline' style dolly`
+        `script-src 'report-sample' 'self' script foo; worker-src 'report-sample' 'self' blob: worker bar; style-src 'report-sample' 'self' 'unsafe-inline' style dolly; object-src 'report-sample' object obj`
       );
     });
 
@@ -114,7 +115,7 @@ describe('CspConfig', () => {
         style_src: ['style'],
       });
       expect(config.header).toEqual(
-        `script-src 'report-sample' 'self' script; worker-src 'report-sample' 'self' blob: worker; style-src 'report-sample' 'self' 'unsafe-inline' style`
+        `script-src 'report-sample' 'self' script; worker-src 'report-sample' 'self' blob: worker; style-src 'report-sample' 'self' 'unsafe-inline' style; object-src 'report-sample' 'none'`
       );
     });
 
@@ -127,7 +128,7 @@ describe('CspConfig', () => {
         });
 
         expect(config.header).toEqual(
-          `script-src 'report-sample' 'self' foo bar; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'`
+          `script-src 'report-sample' 'self' foo bar; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'report-sample' 'none'`
         );
       });
 
@@ -139,7 +140,7 @@ describe('CspConfig', () => {
         });
 
         expect(config.header).toEqual(
-          `script-src 'report-sample' 'self' 'unsafe-eval' foo bar; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'`
+          `script-src 'report-sample' 'self' 'unsafe-eval' foo bar; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'report-sample' 'none'`
         );
       });
 
@@ -150,7 +151,7 @@ describe('CspConfig', () => {
         });
 
         expect(config.header).toEqual(
-          `script-src 'report-sample' 'self' foo bar; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'`
+          `script-src 'report-sample' 'self' foo bar; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'report-sample' 'none'`
         );
       });
     });
@@ -163,7 +164,7 @@ describe('CspConfig', () => {
         expect(config.disableEmbedding).toEqual(disableEmbedding);
         expect(config.disableEmbedding).not.toEqual(CspConfig.DEFAULT.disableEmbedding);
         expect(config.header).toMatchInlineSnapshot(
-          `"script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'; frame-ancestors 'self'"`
+          `"script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'report-sample' 'none'; frame-ancestors 'self'"`
         );
       });
 
@@ -176,7 +177,7 @@ describe('CspConfig', () => {
         expect(config.disableEmbedding).toEqual(disableEmbedding);
         expect(config.disableEmbedding).not.toEqual(CspConfig.DEFAULT.disableEmbedding);
         expect(config.header).toMatchInlineSnapshot(
-          `"script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'; frame-ancestors 'self'"`
+          `"script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'report-sample' 'none'; frame-ancestors 'self'"`
         );
       });
     });
@@ -186,7 +187,7 @@ describe('CspConfig', () => {
     test(`adds, for example, CDN host name to directives along with 'self'`, () => {
       const config = new CspConfig(defaultConfig, { default_src: ['foo.bar'] });
       expect(config.header).toEqual(
-        "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'; default-src 'self' foo.bar"
+        "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'report-sample' 'none'; default-src 'self' foo.bar"
       );
     });
 
@@ -195,7 +196,7 @@ describe('CspConfig', () => {
         /* empty */
       });
       expect(config.header).toEqual(
-        "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'"
+        "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'report-sample' 'none'"
       );
     });
     test('Passing an empty array in additional config does not affect existing config', () => {
@@ -204,7 +205,7 @@ describe('CspConfig', () => {
         worker_src: ['foo.bar'],
       });
       expect(config.header).toEqual(
-        "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob: foo.bar; style-src 'report-sample' 'self' 'unsafe-inline'"
+        "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob: foo.bar; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'report-sample' 'none'"
       );
     });
   });