CONSOLE-4263: Add initial Content Security Policy for Console web application #14156
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
vojtechszocs
force-pushed
the
add-initial-csp
branch
from
483bdec to
fc92790
Compare
vojtechszocs
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@vojtechszocs: This pull request references CONSOLE-4170 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.18.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
vojtechszocs
changed the title
|
@vojtechszocs: This pull request references CONSOLE-4170 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.18.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@vojtechszocs: This pull request references CONSOLE-4170 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.18.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
vojtechszocs
force-pushed
the
add-initial-csp
branch
from
00fa8f2 to
8af91c8
Compare
|
@vojtechszocs: This pull request references CONSOLE-4170 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.18.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@vojtechszocs: This pull request references CONSOLE-4170 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.18.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
vojtechszocs
force-pushed
the
add-initial-csp
branch
from
433eb74 to
1b40190
Compare
spadgett
left a comment
spadgett
left a comment
There was a problem hiding this comment.
Thanks, @vojtechszocs! Happy to see progress here.
pkg/server/server.go
Outdated
There was a problem hiding this comment.
Great start.
I could see some of these directives breaking plugins. As we've talked about, we'll minimally need a mechanism for plugins to add values to cspSources and a plan to transition to enforcing.
There was a problem hiding this comment.
As we've talked about, we'll minimally need a mechanism for plugins to add values to cspSources
Sounds like an API change for the ConsolePlugin CRD
plan to transition to enforcing.
I feel like by the end of 4.18 we should have a clear picture on:
- What the CSP which we want to enforce should look like
- API change for the ConsolePlugin
pkg/server/server.go
Outdated
There was a problem hiding this comment.
We should determine if there is a more precise way to determine if we're using a webpack dev server in development mode. There are other use cases I know of where people run an off-cluster console.
There was a problem hiding this comment.
right, I think that should be the path forward
frontend/public/components/app.jsx
Outdated
There was a problem hiding this comment.
Is the violation automatically logged to the JS console as well?
We should discuss if there is a way during development mode to make it really obvious a violation occurred without the dev needing to explicitly check the console. Also we should think about the plugin development use case. We want to make sure plugin developers know they have violations that will break their plugin when we turn on enforcement.
There was a problem hiding this comment.
good idea. Maybe having a similar warnings like we do have with admission webhook, but just in the DEV mode?
There was a problem hiding this comment.
@spadgett @jhadvig I'm testing on Firefox and this is the observed behavior:
- First, the browser logs an error about the CSP violation with brief description of the problem. However, this log entry has no details on the actual cause of the problem.
- Then, the browser calls our custom SecurityPolicyViolationEvent handler which logs the CSP violation again, but this time with specific details.
I've chosen the Content-Security-Policy: ... log format for consistency with the browser issued log entries.
We should discuss if there is a way during development mode to make it really obvious a violation occurred without the dev needing to explicitly check the console.
👍 we could utilize toast messages or similar to notify developers of CSP problems.
Also we should think about the plugin development use case. We want to make sure plugin developers know they have violations that will break their plugin when we turn on enforcement.
Right, this is very important. Our policy must be adequate before we change Console CSP mode from report-only to enforce, otherwise we will break our plugins.
We should consider showing visual notifications whenever our CSP violation handler detects a plugin-related problem in all builds of Console frontend.
|
@vojtechszocs: This pull request references CONSOLE-4170 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.18.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@vojtechszocs: This pull request references CONSOLE-4170 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.18.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@vojtechszocs: This pull request references CONSOLE-4170 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.18.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
vojtechszocs
force-pushed
the
add-initial-csp
branch
from
1b40190 to
34e4042
Compare
|
/retest |
|
It would be good to have something in CI to report violations. If the Cypress tests can run today without violations, we could turn this on now to avoid regressions. |
openshift-ci
bot
added
lgtm
|
I'd suggest we explore adding Cypress tests now if there are no known violations. Maybe there is something simple we can do to catch any CSP violation like we do for other generic runtime errors. It looks like there are some special considerations for Cypress, though: https://docs.cypress.io/guides/guides/content-security-policy |
|
/label px-approved |
openshift-ci
bot
added
the
px-approved
|
@spadgett yes we discussed with @vojtechszocs that the CI implementation would be done as a followup, but probably we should first address the one violation console is currently triggering. |
opayne1
left a comment
opayne1
left a comment
There was a problem hiding this comment.
Just a couple docs nits but otherwise looks good to me! I'll go ahead and add the label.
/label docs-approved
openshift-ci
bot
added
the
docs-approved
|
Thanks @opayne1 for your review, PR updated. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jhadvig, vojtechszocs The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| fmt.Sprintf("img-src %s data:", cspSources), | ||
| fmt.Sprintf("font-src %s data:", cspSources), |
There was a problem hiding this comment.
sorry, what does an empty data: schema mean here?
There was a problem hiding this comment.
This allows the web application to use data: URLs to embed certain content into the HTML markup.
In this case, we allow using data: URLs for img-src (images and favicons) and font-src (CSS fonts).
Using data: URLs is commonly used for web asset optimization. When building Console web application, the module bundler (webpack) may generate these data: URLs for any small-sized images and fonts.
There was a problem hiding this comment.
yes, this should be a valid value 👍
| console.warn( | ||
| `Content Security Policy violation seems to originate from plugin ${pluginName}`, | ||
| ); |
There was a problem hiding this comment.
when dynamic plugin triggers CSP violation, we can only see warning message Content Security Policy violation detected
Content Security Policy violation seems to originate from plugin ${pluginName} doesn't print
There was a problem hiding this comment.
When detecting whether the CSP violation originates from a dynamic plugin or from Console application code itself, we look at blockedURI and sourceFile properties - if their values start with {consoleBaseURL}/api/plugins/ prefix, it means that the associated resource is fetched via Console Bridge server's plugin asset endpoint which allows us to infer the name of the dynamic plugin.
This is why the message is phrased "seems to originate from plugin" instead of just "originates from plugin". Any CSP violations which are due to {consoleBaseURL}/api/plugins/... requests are associated with dynamic plugins, but any dynamic plugin can also make requests to other (non-Console) endpoints.
If a plugin makes requests to non-Console endpoints (regardless of whether the requested service is inside or outside the cluster) it will trigger CSP violations which we have no way of associating with that dynamic plugin. These kind of CSP violations will be logged, but the "seems to originate from plugin" will not apply to them.
Each dynamic plugin team should test their own plugin on a cluster and ensure there are no CSP violations that may be traced back to their plugin.
In case a plugin really needs to make requests to non-Console endpoints then it should explicitly list such endpoints via ConsolePlugin custom resource (CONSOLE-4265).
|
Deployed our console-demo-plugin and tested, can see some CSP violation errors in browser console |
These CSP violations are not due to dynamic demo plugin - these are non-Console endpoints: As mentioned in my comment above, any requests to non-Console endpoints will trigger CSP violations according to the current Console policy. We should determine whether ^^ endpoints are to be allowed on plugin level or on Console application level. |
|
Yes, we need to determine where these endpoints are being called from and add them as en exception. |
These endpoints are used by the Console application, so we'll need a follow-up change to include them in |
|
Thanks for detailed explanation @vojtechszocs |
openshift-ci
bot
added
the
qe-approved
|
@vojtechszocs: This pull request references CONSOLE-4263 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@vojtechszocs: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
8 participants
Summary
This PR adds initial Content Security Policy implementation for Console web application.
Initially, we will deploy CSP in report-only mode via
Content-Security-Policy-Report-OnlyHTTP header.CSP violations are handled explicitly via Console
SecurityPolicyViolationEventhandler, which does the following:With this PR, running Console and Bridge locally with dynamic demo plugin enabled should not trigger any CSP violations.
Note 📝 since we use
Content-Security-Policy-Report-Onlyinstead ofContent-Security-Policyheader, the browser may warn about Console CSP not containingreport-to(standard) orreport-uri(deprecated) directives as shown in the following screenshot:This warning is not an issue, since we use a custom CSP violation event handler. The "cannot report violations" part of this warning means the browser itself will not make any CSP related HTTP requests.
The error below the warning in the screenshot is due to Console HTML index template containing an inline script tag used to set up
SERVER_FLAGSand visual theme config. The proper way to address this error is to allow this script tag - either generate a SHA hash representing its contents or generate a cryptographically secure random token for the script.Follow-up work
Address the above mentioned CSP inline script tag error.
Testing this PR has revealed that webpack generated Console assets require the following CSP exceptions, these should be removed in the future:
script-src 'unsafe-eval'triggered by unsafe JS code likeeval()style-src 'unsafe-inline'triggered by inline<style>elementscc @spadgett @jhadvig