Kibana: Microsoft Edge doesn't load kibana 7.3.2 - CSP14312 errors

Created on 24 Sep 2019  路  4Comments  路  Source: elastic/kibana

Kibana version:
docker.elastic.co/kibana/kibana:7.3.2
Elasticsearch version:
docker.elastic.co/elasticsearch/elasticsearch:7.3.2
Server OS version:
Docker.
Browser version:
Microsoft Edge 44.18362.329.0

Microsoft EdgeHTML 18.18362
Browser OS version:
Windows 10 v1903
Original install method (e.g. download page, yum, from source, etc.):
Official elasticsearch helm chart
Describe the bug:
CSP14312 errors prevent Kibana from loading in Microsoft Edge

Steps to reproduce:

  1. Visit your Kibana URL using Microsoft Edge. It never loads and shows this error in the developer console:
CSP14312: Resource violated directive 'script-src 'unsafe-eval' 'nonce-zgpuwArCFXMdrPWH'' in Content-Security-Policy: https://kibana.mycompany.com/bundles/app/kibana/bootstrap.js. Resource will be blocked.

CSP14321: Resource violated directive 'script-src 'unsafe-eval' 'nonce-zgpuwArCFXMdrPWH'' in Content-Security-Policy: inline script, in https://kibana.mycompany.com/app/kibana at line 371 column 809. Resource will be blocked.

Expected behavior:

Kibana loads in MS Edge.

Errors in browser console (if relevant):

CSP14312: Resource violated directive 'script-src 'unsafe-eval' 'nonce-zgpuwArCFXMdrPWH'' in Content-Security-Policy: https://kibana.mycompany.com/bundles/app/kibana/bootstrap.js. Resource will be blocked.

CSP14321: Resource violated directive 'script-src 'unsafe-eval' 'nonce-zgpuwArCFXMdrPWH'' in Content-Security-Policy: inline script, in https://kibana.mycompany.com/app/kibana at line 371 column 809. Resource will be blocked.

Provide logs and/or server output (if relevant):
Logs from STD I/O on Docker container:

{"type":"response","@timestamp":"2019-09-24T21:21:28Z","tags":[],"pid":6,"method":"get","statusCode":200,"req":{"url":"/app/kibana","method":"get","headers":{"host":"kibana.mycompany.com","x-request-id":"a0ee26d1ad1d1266227cd5bc7d829ab8","x-real-ip":"10.112.51.251","x-forwarded-for":"10.112.51.251","x-forwarded-host":"kibana.mycompany.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-original-uri":"/app/kibana","x-scheme":"https","cache-control":"max-age=0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","accept-language":"en-US","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362","accept-encoding":"gzip, deflate, br"},"remoteAddress":"10.42.14.0","userAgent":"10.42.14.0"},"res":{"statusCode":200,"responseTime":303,"contentLength":9},"message":"GET /app/kibana 200 303ms - 9.0B"}

Any additional context:
I think this was fixed in 6.x releases, but the fix doesn't seem to have made it into 7.3.2

Possibly relevant issues:
https://github.com/elastic/kibana/issues/40891
https://github.com/elastic/kibana/issues/40674
https://github.com/elastic/kibana/issues/30988
https://github.com/elastic/kibana/pull/31610

Core blocker
Source
picture junkiebev

Most helpful comment

More details in this comment, but the tldr is:

  • Microsoft Edge's implementation of CSP is broken
  • Kibana does not officially support Edge at this time

That said, we did just remove our usage of the nonce- directive in 7.4 (for other reasons) which appears to be the reason Edge did not work. I did not test with Edge, but it may work when 7.4 is released.

If not, we expect that once Edge releases their Chromium-based update later this year that this problem will go away.

picture joshdover on 26 Sep 2019
1 👍1

All 4 comments

I can reproduce this, including on our demo site - same error.

4HTML1300: Navigation occurred.
demo.elastic.co (1,1)

CSP14312: Resource violated directive 'script-src 'unsafe-eval' 'nonce-ZGNj2tY3Zcs/ucJH'' in Content-Security-Policy: https://demo.elastic.co/bundles/app/kibana/bootstrap.js. Resource will be blocked.

CSP14321: Resource violated directive 'script-src 'unsafe-eval' 'nonce-ZGNj2tY3Zcs/ucJH'' in Content-Security-Policy: inline script, in https://demo.elastic.co/app/kibana at line 371 column 809. Resource will be blocked.
jbudz picture jbudz on 25 Sep 2019

Pinging @elastic/kibana-platform

elasticmachine picture elasticmachine on 25 Sep 2019

I'm marking this as a blocker so it gets re-triaged. Feel free to relabel accordingly

jbudz picture jbudz on 25 Sep 2019
👀2

More details in this comment, but the tldr is:

  • Microsoft Edge's implementation of CSP is broken
  • Kibana does not officially support Edge at this time

That said, we did just remove our usage of the nonce- directive in 7.4 (for other reasons) which appears to be the reason Edge did not work. I did not test with Edge, but it may work when 7.4 is released.

If not, we expect that once Edge releases their Chromium-based update later this year that this problem will go away.

joshdover picture joshdover on 26 Sep 2019
1 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

socialmineruser1 picture socialmineruser1  路  3Comments
stacey-gammon picture stacey-gammon  路  3Comments
tbragin picture tbragin  路  3Comments
MaartenUreel picture MaartenUreel  路  3Comments
snide picture snide  路  3Comments