Remove ace

[epixa]

The ace project at best is not aligned with our priorities in terms of accessibility and security, and at worst it is effectively abandoned entirely. Either way, it's not suitable for use in Kibana and we should remove it entirely.

First, we must decide which editor to switch to. The monaco editor is an option, but it's very large (>=5mb) and not mobile-friendly at all, so it's probably not the best option in most places in Kibana. We don't necessarily need only a single editor if we want to differentiate between robust editor capabilities and more lightly editing.

Suggestions of an alternative are welcome, even if on a plugin by plugin basis.

We should address this throughout 7.x and have it closed out in 8.0. These are the plugins that use brace or ace today:

• console (Replace Console's ace editor #42029) @elastic/es-ui
• kbn_doc_views @elastic/kibana-app
• kibana (saved objects UI) @elastic/kibana-platform
• graph @elastic/kibana-app
• grokdebugger ???
• logstash ???
• ml @elastic/ml-ui
• searchprofiler @elastic/es-ui
• watcher @elastic/es-ui

[epixa]

Adding the discuss label since we need suggestions on the editor front.

[flash1293]

Maybe https://github.com/codemirror/codemirror ? Looks pretty lightweight (~160kb): https://bundlephobia.com/[email protected]

Not sure whether all necessary features are provided though.

[lukas-vlcek]

Codemirror is definitely good choice for these. And you should consider supporting its author as well.

[cjcenizal]

The ace project at best is not aligned with our priorities in terms of accessibility and security, and at worst it is effectively abandoned entirely

@epixa I know it's been awhile, but I figured it was worth asking -- do we have any information regarding Ace editor's accessibility and security deficiencies?

I also checked out the Ace changelog and it seems fairly actively maintained. Do you have any information to the contrary?

[epixa]

@cjcenizal Sorry, I don't really remember the context here. I should have provided it in the issue. Based on the timing, at least from a security standpoint I suspect the issue was around our efforts to roll out Content Security Policy. Either Ace didn't support nonce, which was part of our original CSP configuration, and/or Ace uses eval behind the scenes. But I'm not certain.

[legrego]

Resurrecting the CSP discussion, I discovered that ace is preventing us from removing worker-src blob: from our CSP.

worker-src blob: effectively allows for arbitrary code execution within a web worker, similar to how script-src unsafe-eval does for the primary window. We have experimental support for running Kibana without unsafe-eval today, and it would be great if we could do the same for worker-src blob:.

As I noted in #140388, it looks possible to run ace without web workers, but I strongly suspect that would come with a performance penalty which may not be acceptable given our widespread usage.

edit: it appears that monaco suffers the same fate.

cc @elastic/kibana-security