[8.0] Remove support for configuring csp.rules (#114379)

Co-authored-by: Kibana Machine <[email protected]>

docs/development/core/server/kibana-plugin-core-server.cspconfig.md

@@ -24,7 +24,6 @@ The constructor for this class is marked as internal. Third-party code should no
 |  [DEFAULT](./kibana-plugin-core-server.cspconfig.default.md) | <code>static</code> | <code>CspConfig</code> |  |
 |  [disableEmbedding](./kibana-plugin-core-server.cspconfig.disableembedding.md) |  | <code>boolean</code> |  |
 |  [header](./kibana-plugin-core-server.cspconfig.header.md) |  | <code>string</code> |  |
-|  [rules](./kibana-plugin-core-server.cspconfig.rules.md) |  | <code>string[]</code> |  |
 |  [strict](./kibana-plugin-core-server.cspconfig.strict.md) |  | <code>boolean</code> |  |
 |  [warnLegacyBrowsers](./kibana-plugin-core-server.cspconfig.warnlegacybrowsers.md) |  | <code>boolean</code> |  |
 

docs/development/core/server/kibana-plugin-core-server.icspconfig.disableembedding.md

@@ -4,7 +4,7 @@
 
 ## ICspConfig.disableEmbedding property
 
-Whether or not embedding (using iframes) should be allowed by the CSP. If embedding is disabled \*and\* no custom rules have been defined, a restrictive 'frame-ancestors' rule will be added to the default CSP rules.
+Whether or not embedding (using iframes) should be allowed by the CSP. If embedding is disabled, a restrictive 'frame-ancestors' rule will be added to the default CSP rules.
 
 <b>Signature:</b>
 

docs/development/core/server/kibana-plugin-core-server.icspconfig.md

@@ -16,9 +16,8 @@ export interface ICspConfig
 
 |  Property | Type | Description |
 |  --- | --- | --- |
-|  [disableEmbedding](./kibana-plugin-core-server.icspconfig.disableembedding.md) | <code>boolean</code> | Whether or not embedding (using iframes) should be allowed by the CSP. If embedding is disabled \*and\* no custom rules have been defined, a restrictive 'frame-ancestors' rule will be added to the default CSP rules. |
+|  [disableEmbedding](./kibana-plugin-core-server.icspconfig.disableembedding.md) | <code>boolean</code> | Whether or not embedding (using iframes) should be allowed by the CSP. If embedding is disabled, a restrictive 'frame-ancestors' rule will be added to the default CSP rules. |
 |  [header](./kibana-plugin-core-server.icspconfig.header.md) | <code>string</code> | The CSP rules in a formatted directives string for use in a <code>Content-Security-Policy</code> header. |
-|  [rules](./kibana-plugin-core-server.icspconfig.rules.md) | <code>string[]</code> | The CSP rules used for Kibana. |
 |  [strict](./kibana-plugin-core-server.icspconfig.strict.md) | <code>boolean</code> | Specify whether browsers that do not support CSP should be able to use Kibana. Use <code>true</code> to block and <code>false</code> to allow. |
 |  [warnLegacyBrowsers](./kibana-plugin-core-server.icspconfig.warnlegacybrowsers.md) | <code>boolean</code> | Specify whether users with legacy browsers should be warned about their lack of Kibana security compliance. |
 

docs/migration/migrate_8_0.asciidoc

@@ -48,6 +48,12 @@ for example, `logstash-*`.
 
 *Impact:* To allow Kibana to function for these legacy browsers, set `csp.strict: false`. Since this is about enforcing a security protocol, we *strongly discourage* disabling `csp.strict` unless it is critical that you support Internet Explorer 11.
 
+[float]
+==== Configuring content security policy rules is no longer supported
+*Details:* Configuring `csp.rules` is removed in favor of per-directive specific configuration. Configuring the default `csp.script_src`, `csp.workers_src` and `csp.style_src` values is not required.
+
+*Impact:* Configure per-directive sources instead. See https://github.com/elastic/kibana/pull/102059 for more details.
+
 [float]
 ==== Default logging timezone is now the system's timezone
 *Details:* In prior releases the timezone used in logs defaulted to UTC. We now use the host machine's timezone by default.

docs/setup/settings.asciidoc

@@ -26,13 +26,6 @@ Toggling this causes the server to regenerate assets on the next startup,
 which may cause a delay before pages start being served.
 Set to `false` to disable Console. *Default: `true`*
 
-| `csp.rules:`
- | deprecated:[7.14.0,"In 8.0 and later, this setting will no longer be supported."]
-A https://w3c.github.io/webappsec-csp/[Content Security Policy] template
-that disables certain unnecessary and potentially insecure capabilities in
-the browser. It is strongly recommended that you keep the default CSP rules
-that ship with {kib}.
-
 | `csp.script_src:`
 | Add sources for the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src[Content Security Policy `script-src` directive].
 
@@ -502,8 +495,7 @@ To disable, set to `null`. *Default:* `null`
 | Controls whether the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy[`Content-Security-Policy`] and
 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options[`X-Frame-Options`] headers are configured to disable embedding
 {kib} in other webpages using iframes. When set to `true`, secure headers are used to disable embedding, which adds the `frame-ancestors:
-'self'` directive to the `Content-Security-Policy` response header (if you are using the default CSP rules), and adds the `X-Frame-Options:
-SAMEORIGIN` response header. *Default:* `false`
+'self'` directive to the `Content-Security-Policy` response header and adds the `X-Frame-Options: SAMEORIGIN` response header. *Default:* `false`
 
 | `server.customResponseHeaders:` {ess-icon}
  | Header names and values to

src/core/server/config/deprecation/core_deprecations.test.ts

@@ -83,100 +83,4 @@ describe('core deprecations', () => {
       expect(messages).toHaveLength(0);
     });
   });
-
-  describe('cspRulesDeprecation', () => {
-    describe('with nonce source', () => {
-      it('logs a warning', () => {
-        const settings = {
-          csp: {
-            rules: [`script-src 'self' 'nonce-{nonce}'`],
-          },
-        };
-        const { messages } = applyCoreDeprecations(settings);
-        expect(messages).toMatchInlineSnapshot(`
-            Array [
-              "csp.rules no longer supports the {nonce} syntax. Replacing with 'self' in script-src",
-            ]
-        `);
-      });
-
-      it('replaces a nonce', () => {
-        expect(
-          applyCoreDeprecations({ csp: { rules: [`script-src 'nonce-{nonce}'`] } }).migrated.csp
-            .rules
-        ).toEqual([`script-src 'self'`]);
-        expect(
-          applyCoreDeprecations({ csp: { rules: [`script-src 'unsafe-eval' 'nonce-{nonce}'`] } })
-            .migrated.csp.rules
-        ).toEqual([`script-src 'unsafe-eval' 'self'`]);
-      });
-
-      it('removes a quoted nonce', () => {
-        expect(
-          applyCoreDeprecations({ csp: { rules: [`script-src 'self' 'nonce-{nonce}'`] } }).migrated
-            .csp.rules
-        ).toEqual([`script-src 'self'`]);
-        expect(
-          applyCoreDeprecations({ csp: { rules: [`script-src 'nonce-{nonce}' 'self'`] } }).migrated
-            .csp.rules
-        ).toEqual([`script-src 'self'`]);
-      });
-
-      it('removes a non-quoted nonce', () => {
-        expect(
-          applyCoreDeprecations({ csp: { rules: [`script-src 'self' nonce-{nonce}`] } }).migrated
-            .csp.rules
-        ).toEqual([`script-src 'self'`]);
-        expect(
-          applyCoreDeprecations({ csp: { rules: [`script-src nonce-{nonce} 'self'`] } }).migrated
-            .csp.rules
-        ).toEqual([`script-src 'self'`]);
-      });
-
-      it('removes a strange nonce', () => {
-        expect(
-          applyCoreDeprecations({ csp: { rules: [`script-src 'self' blah-{nonce}-wow`] } }).migrated
-            .csp.rules
-        ).toEqual([`script-src 'self'`]);
-      });
-
-      it('removes multiple nonces', () => {
-        expect(
-          applyCoreDeprecations({
-            csp: {
-              rules: [
-                `script-src 'nonce-{nonce}' 'self' blah-{nonce}-wow`,
-                `style-src 'nonce-{nonce}' 'self'`,
-              ],
-            },
-          }).migrated.csp.rules
-        ).toEqual([`script-src 'self'`, `style-src 'self'`]);
-      });
-    });
-
-    describe('without self source', () => {
-      it('logs a warning', () => {
-        const { messages } = applyCoreDeprecations({
-          csp: { rules: [`script-src 'unsafe-eval'`] },
-        });
-        expect(messages).toMatchInlineSnapshot(`
-              Array [
-                "csp.rules must contain the 'self' source. Automatically adding to script-src.",
-              ]
-        `);
-      });
-
-      it('adds self', () => {
-        expect(
-          applyCoreDeprecations({ csp: { rules: [`script-src 'unsafe-eval'`] } }).migrated.csp.rules
-        ).toEqual([`script-src 'unsafe-eval' 'self'`]);
-      });
-    });
-
-    it('does not add self to other policies', () => {
-      expect(
-        applyCoreDeprecations({ csp: { rules: [`worker-src blob:`] } }).migrated.csp.rules
-      ).toEqual([`worker-src blob:`]);
-    });
-  });
 });

src/core/server/config/deprecation/core_deprecations.ts

@@ -45,64 +45,7 @@ const rewriteCorsSettings: ConfigDeprecation = (settings, fromPath, addDeprecati
   }
 };
 
-const cspRulesDeprecation: ConfigDeprecation = (settings, fromPath, addDeprecation) => {
-  const NONCE_STRING = `{nonce}`;
-  // Policies that should include the 'self' source
-  const SELF_POLICIES = Object.freeze(['script-src', 'style-src']);
-  const SELF_STRING = `'self'`;
-
-  const rules: string[] = settings.csp?.rules;
-  if (rules) {
-    const parsed = new Map(
-      rules.map((ruleStr) => {
-        const parts = ruleStr.split(/\s+/);
-        return [parts[0], parts.slice(1)];
-      })
-    );
-
-    return {
-      set: [
-        {
-          path: 'csp.rules',
-          value: [...parsed].map(([policy, sourceList]) => {
-            if (sourceList.find((source) => source.includes(NONCE_STRING))) {
-              addDeprecation({
-                message: `csp.rules no longer supports the {nonce} syntax. Replacing with 'self' in ${policy}`,
-                correctiveActions: {
-                  manualSteps: [`Replace {nonce} syntax with 'self' in ${policy}`],
-                },
-              });
-              sourceList = sourceList.filter((source) => !source.includes(NONCE_STRING));
-
-              // Add 'self' if not present
-              if (!sourceList.find((source) => source.includes(SELF_STRING))) {
-                sourceList.push(SELF_STRING);
-              }
-            }
-
-            if (
-              SELF_POLICIES.includes(policy) &&
-              !sourceList.find((source) => source.includes(SELF_STRING))
-            ) {
-              addDeprecation({
-                message: `csp.rules must contain the 'self' source. Automatically adding to ${policy}.`,
-                correctiveActions: {
-                  manualSteps: [`Add 'self' source to ${policy}.`],
-                },
-              });
-              sourceList.push(SELF_STRING);
-            }
-
-            return `${policy} ${sourceList.join(' ')}`.trim();
-          }),
-        },
-      ],
-    };
-  }
-};
-
-export const coreDeprecationProvider: ConfigDeprecationProvider = ({ rename, unusedFromRoot }) => [
+export const coreDeprecationProvider: ConfigDeprecationProvider = () => [
   rewriteCorsSettings,
   rewriteBasePathDeprecation,
-  cspRulesDeprecation,
 ];