[CSP] Added object-src to Content-Security-Policy-Report-Only header

[elena-shostak]

Summary

Added support for object_src directive in reporting mode.

How to test

• Add in your kibana.dev.yml.

server.customResponseHeaders.Reporting-Endpoints: violations-endpoint="https://localhost:5601/kibana/internal/security/analytics/_record_violations"
permissionsPolicy.report_to: [violations-endpoint]

• Make sure you have dev tools configured for Reporting API.
• Add <embed src="https://not-example.com/flash" /> anywhere in the page body in src/platform/plugins/shared/home/public/application/components/home.tsx
• Open Dev Tools -> Console
  You should be able to see the violation

Note

Hopefully, you should be able to see the violation in the Dev Tools -> Application -> Reporting, but it's sometimes hard to catch. My recent Chrome 132.0.6834.160 shows only CSP reports with disposition enforce, not report.

Checklist

• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
• The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines

Release Notes

Added object_src directive to Content-Security-Policy-Report-Only header.

Closes: #208590

[github-actions]

It looks like this PR modifies one or more .asciidoc files. These files are being migrated to Markdown, and any changes merged now will be lost. See the migration guide for details.

[github-actions]

A documentation preview will be available soon.

• 🔨 Buildkite builds
• 📚 HTML diff
• 📙 Preview page

Request a new doc build by commenting

• Rebuild this PR: run docs-build
• Rebuild this PR and all Elastic docs: run docs-build rebuild

_{run docs-build is much faster than run docs-build rebuild. A rebuild should only be needed in rare situations.}

_{If your PR continues to fail for an unknown reason, the doc build pipeline may be broken. Elastic employees can check the pipeline status here.}

[elasticmachine]

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

• Click to trigger kibana-pull-request for this PR!
• Click to trigger kibana-deploy-project-from-pr for this PR!
• Click to trigger kibana-deploy-cloud-from-pr for this PR!

[github-actions]

It looks like this PR modifies one or more .asciidoc files. These files are being migrated to Markdown, and any changes merged now will be lost. See the migration guide for details.

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: 7bbf971

Failed CI Steps

• Jest Tests #21
• Jest Integration Tests #1
• Jest Integration Tests #1
• FTR Configs #9

Test Failures

• [job] [logs] FTR Configs #9 / Alerting builtin alertTypes circuit_breakers index threshold rule that hits max alerts circuit breaker persist existing alerts to next execution if circuit breaker is hit
• [job] [logs] Jest Integration Tests #1 / runs with default preResponse handlers does not allow overwriting of the "kbn-name", "Content-Security-Policy" and "Content-Security-Policy-Report-Only" headers
• [job] [logs] Jest Integration Tests #1 / runs with default preResponse handlers does not allow overwriting of the "kbn-name", "Content-Security-Policy" and "Content-Security-Policy-Report-Only" headers
• [job] [logs] Jest Tests #21 / useReplaceCustomField calls the api when invoked with the correct parameters

Metrics [docs]

✅ unchanged

History

• 💔 Build #272740 failed 07437ee