Kibana content-security-policy page errors

[alexbegg]

The Kibana that comes with Astronomer (I am on Astronomer platform v0.25.11) shows an error "Your browser does not meet the security requirements for Kibana."

When I looked up this message online and it appears to be related to content-security-policy: https://discuss.elastic.co/t/browser-security-requirements-warning-when-login/241257

I checked the console messages and it is bringing up a few content-security-policy page errors, primarily for the following two URLs:

• https://feeds.elastic.co/kibana/v7.10.2.json
• https://telemetry.elastic.co/xpack/v2/send

Should the Content-Security-Policy be updated for NGINX here?

astronomer/charts/nginx/templates/nginx-headers-configmap.yaml

Line 15 in 88af339

Content-Security-Policy: "default-src 'self' *.{{ .Values.global.baseDomain }}; script-src 'unsafe-inline' 'unsafe-eval' *.{{ .Values.global.baseDomain }} cdn.jsdelivr.net cdn.astronomer.io cdn.metarouter.io cdn.segment.com www.google-analytics.com js.stripe.com widget.intercom.io js.intercomcdn.com cdn.lr-ingest.io; img-src 'self' data: *; connect-src *.{{ .Values.global.baseDomain }} wss://*.{{ .Values.global.baseDomain }} e.metarouter.io api.segment.com api.segment.io api-iam.intercom.io wss://nexus-websocket-a.intercom.io; style-src 'unsafe-inline' *.{{ .Values.global.baseDomain }} cdn.jsdelivr.net fonts.googleapis.com; frame-src js.stripe.com; font-src *.{{ .Values.global.baseDomain }} cdn.astronomer.io fonts.gstatic.com js.intercomcdn.com data:; worker-src blob:"

[pgvishnuram]

@danielhoherd

[danielhoherd]

Internal discussion thread: https://astronomer.slack.com/archives/CE3J4L7QT/p1642632753017900

[alexbegg]

@pgvishnuram @danielhoherd Any update on this?

I can't see that link since I am a not a Astronomer employee, I am an Astronomer enterprise customer.

FYI, I wanted to state I added a few Kibana configurations via environment variables via Helm values in my installation to get rid of any errors or warnings:

kibana:
  env:
    SERVER_PUBLICBASEURL: "https://kibana.BASEDOMAIN_HERE" # There is currently a warning on Kibana pages stating that `server.publicBaseUrl` is missing and should be configured, so setting it here. It must not end with a `/`.
    CSP_WARNLEGACYBROWSERS: "false" # There is currently a warning on Kibana pages "Your browser does not meet the security requirements for Kibana.", disabling the warning for now.
    NEWSFEED_ENABLED: "false" # There is currently a Content Security Policy restriction connecting to the news feed, disabling it for now.

The last one, NEWSFEED_ENABLED: "false" avoids the Content Security Policy restriction connecting to https://feeds.elastic.co/kibana/v....json since that request is to the news feed.

It seems the error with https://telemetry.elastic.co/xpack/v2/send went away in a recent release.

[pgvishnuram]

Hi @alexbegg - Thanks for the additional info. We will take a look and see if it can be addressed in later releases. Will keep you once available in one of our releases.