Provide a doc link to IE 11 users when showing "Your browser does not meet the security requirements.."

[LeeDr]

Kibana version: 7.2.0 (I think this dialog was introduced in 7.0 or 7.1?)

Elasticsearch version: 7.2.0

Server OS version: Ubuntu 18 (all OSs)

Browser version: IE 11

Browser OS version: Windows 10

Original install method (e.g. download page, yum, from source, etc.): .deb packages default distribution

Describe the bug: When a IE 11 user connects to Kibana they see a dialog that says "Your browser does not meet the security requirements for Kibana." But it disappears in 5 seconds, and it doesn't have any suggestions or link for more information.

They might guess that they should use Chrome or Firefox browsers (if they have those installed).

Steps to reproduce:

1. Use IE 11 to connect to Kibana
2. See the dialog in the lower right corner
3. If you want to see it again, refresh the browser

Expected behavior:

• [ ] Have a link to documentation describing that CSP is not supported in Internet Explorer.
• [ ] Our doc could have a link to some official Microsoft doc [optional].
• [ ] And our doc should list the our recommended browser (Chrome) and supported browsers (Firefox and Safari, and?).
• [ ] Our doc should describe the csp.strict: true|false setting for kibana.yml
• [ ] Our doc should mention our change for 8.0 to default to csp.strict: true
• [ ] if it's possible, change the dialog to a longer timeout or even one that requires a click to clear

Screenshots (if relevant): Current 7.2.0 screenshot from IE 11 with default csp.strict: false;

If you set csp.strict: true then IE 11 browser shows this;

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context: Related to https://github.com/elastic/kibana/issues/30468

[elasticmachine]

Pinging @elastic/kibana-docs

[elasticmachine]

Pinging @elastic/kibana-operations

[jbudz]

👍 , +platform

[elasticmachine]

Pinging @elastic/kibana-platform

[elasticmachine]

Pinging @elastic/kibana-security

[KOTungseth]

@joshdover could you help us with this one? We are unsure about what exactly we are documenting here and where.

[gchaps]

@LeeDr Does this documentation meet your needs, or is there another place that you suggest where we should update the documentation?

Documentation on csp.strict: true|false setting for kibana.yml. https://www.elastic.co/guide/en/kibana/7.5/settings.html

Documentation on change for 8.0 to default to csp.strict: true. https://www.elastic.co/guide/en/kibana/master/settings.html

Documentation on CSP https://www.elastic.co/guide/en/kibana/master/production.html

[LeeDr]

Yes. I think the warning dialog that appears in Kibana when using IE should link to that https://www.elastic.co/guide/en/kibana/{BRANCH}/settings.html page.

It might also be nice if those settings.html pages had a link to the CSP session in the production.html page too. https://www.elastic.co/guide/en/kibana/master/production.html#csp-strict-mode

[gchaps]

I added a link in the settings.html page to the CSP section in the production.html page. I'm removing the Team:Doc label from this issue. Feel free to add the label back if you feel more documentation is needed.

[LeeDr]

At some point we might start referring IE users to the new Chromium-based Edge browser which was just released.

[davidjmemmett]

I'm seeing this message in Google Chrome Version 81.0.4044.122 (Official Build) (64-bit) on Ubuntu 19.10 every time I navigate to a different page in Kibana. Is there any way to turn this off?

[LeeDr]

@davidjmemmett you definitely should not see the pop up in Chrome browser. Is this a Kibana instance you manage? Are there any csp settings set in your kibana.yml?

[davidjmemmett]

Hi Lee,

This is an AWS-managed ElasticSearch v7.4 cluster - see attached screenshot.

Is this something I should get in touch with AWS support about?

Cheers, David

[LeeDr]

Yes, I think so. I've never seen that pop up appear on any browser except IE11.

[bconway]

I am seeing this pop up regularly now on the latest versions of Firefox and Chrome. Could the verbiage be updated to give some hint about what it means or how to fix it?

[LeeDr]

@blocknonip What version of Kibana are you on?

Where is your Kibana running (on premise, Elastic Cloud, a docker image you deployed, other)?

What versions of Firefox and Chrome are you running?

The 7.8.0 release is expected to have this additional dialog with a link to our support matrix;

[bconway]

It looks like we are running docker.elastic.co/kibana/kibana:7.7.1 in our Kubernetes cluster (EKS). Browser version is currently Firefox 77.0. I will test again when we bump it to 7.8.0. Thanks.

[LeeDr]

When you have an issue on this topic, try opening your browsers dev tools and report what you see. In the normal case with Chrome you should see;

(text also so it's searchable) Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-P5polb1UreUSOe5V/Pv7tc+yeZuJXiOi/3fqhGsU7BE='), or a nonce ('nonce-...') is required to enable inline execution.

bootstrap.js:11 ^ A single error about an inline script not firing due to content security policy is expected!

The key here being that you see 1 of these and not more.

[davidjmemmett]

It shouldn’t bring up an alert dialogue box for every user though regardless of their browser (latest Chrome).

Cheers, David

On 5 Jun 2020, at 22:32, Lee Drengenberg notifications@github.com wrote:

 When you have an issue on this topic, try opening your browsers dev tools and report what you see. In the normal case with Chrome you should see;

(text also so it's searchable) Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-P5polb1UreUSOe5V/Pv7tc+yeZuJXiOi/3fqhGsU7BE='), or a nonce ('nonce-...') is required to enable inline execution.

bootstrap.js:11 ^ A single error about an inline script not firing due to content security policy is expected!

The key here being that you see 1 of these and not more.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[danielhoherd]

I am seeing this error message in Safari 13.1.2, maybe due to the following:

[Error] Refused to connect to https://feeds.elastic.co/kibana/v7.8.0.json because it does not appear in the connect-src directive of the Content Security Policy.
[Error] TypeError: Not allowed by ContentSecurityPolicy
construct
Wrapper — commons.bundle.js:1:462409
construct
(anonymous function) — commons.bundle.js:1:461196
HttpFetchError — commons.bundle.js:1:464170
_callee3$ — commons.bundle.js:1:1281024
l — kbn-ui-shared-deps.js:288:969222
(anonymous function) — kbn-ui-shared-deps.js:288:968972
asyncGeneratorStep — commons.bundle.js:1:1275485
_throw — commons.bundle.js:1:1275900
promiseReactionJob

    (anonymous function) (newsfeed.plugin.js:6:9907)
    (anonymous function) (kbn-ui-shared-deps.js:381:383236)
    promiseReactionJob

[timroes]

Since Kibana is no longer supporting IE11 as a browser and this issue was IE11 specific, I am going to close it.

[danielhoherd]

@timroes It's not IE specific. Look above your last comment.