Copy assets from appropriate directory for kbn-monaco #178669
Conversation
eokoneyo
added
release_note:skip
|
Pinging @elastic/appex-sharedux (Team:SharedUX) |
eokoneyo
force-pushed
the
chore/fix-178448
branch
from
ca2e2bb to
766e921
Compare
There was a problem hiding this comment.
Overall I like this approach and I think it solves the non-origin Worker loading problem comprehensively.
Tested locally with CDN assets built being served from another domain and LGTM! Great work @eokoneyo
package.json
Outdated
| @@ -1096,6 +1096,7 @@ | |||
| "remark-gfm": "1.0.0", | |||
| "remark-parse-no-trim": "^8.0.4", | |||
| "remark-stringify": "^8.0.3", | |||
| "remote-web-worker": "^0.0.9", | |||
There was a problem hiding this comment.
It's a weird quirk that setting worker-src (as we are doing) still does not fix this issue...
I was exploring a fix here but I think patching the global worker object may be the best way to ensure this doesn't trip up other devs. I think we should get @elastic/kibana-security eyes on this too.
There was a problem hiding this comment.
FWIW in my local testing these were my CSP response headers:
script-src 'report-sample' 'self' 0719-85-145-78-244.ngrok-free.app; worker-src 'report-sample' 'self' blob: script-src 'report-sample' 'self' 0719-85-145-78-244.ngrok-free.app; worker-src 'report-sample' 'self' blob: 0719-85-145-78-244.ngrok-free.app; style-src 'report-sample' 'self' 'unsafe-inline' 0719-85-145-78-244.ngrok-free.app; connect-src 'self' *.elastic.co 0719-85-145-78-244.ngrok-free.app; font-src 'self' 0719-85-145-78-244.ngrok-free.app; img-src 'self' *.elastic.co data: 0719-85-145-78-244.ngrok-free.app; style-src 'report-sample' 'self' 'unsafe-inline' 0719-85-145-78-244.ngrok-free.app; connect-src 'self' *.elastic.co 0719-85-145-78-244.ngrok-free.app; font-src 'self' 0719-85-145-78-244.ngrok-free.app; img-src 'self' *.elastic.co data: 0719-85-145-78-244.ngrok-free.app
I was serving assets via ngrok to check how it plays over https too. As you can see worker-src includes 0719-85-145-78-244.ngrok-free.app 🤷🏻
There was a problem hiding this comment.
And it looks like we still need to fix Console's worker loading
There was a problem hiding this comment.
it also caught me by surprise, I'm of the same opinion that we make the patch global so everyone gets it for free moving forward. I'll be pushing a update to this that's close to what you had but mostly builds of this library with an extra conditional to account for how ace editor workers get loaded.
eokoneyo
force-pushed
the
chore/fix-178448
branch
from
f91f9e0 to
3d9442f
Compare
eokoneyo
force-pushed
the
chore/fix-178448
branch
from
3d9442f to
4e4159e
Compare
|
Heya @eokoneyo ! A couple QQ to help with my understanding:
|
|
Hi @kc13greiner!
Sure, kibana packages it's assets so its reference for assets points to the host machine that runs it, but with Serverless that didn't scale well (for example there were cases of missing chunks because a open tab still refers to assets from a previous deployment that doesn't exist again). The CDN work makes it so that the aforementioned example issue doesn't occur.
As of now this is the most promising approach to circumvent the issue (the issue being that the worker constructor would only execute scripts that obey same-origin policy), and for what it's worth the reason we can't opt for a specific fix that doesn't patch the worker global is because we'd have to patch monaco itself. |
eokoneyo
force-pushed
the
chore/fix-178448
branch
from
e423de1 to
d3e04ca
Compare
Thank you for the detailed response 🚀
What other approaches were considered? Allowing all workers to circumvent the CSP definitely raises security concerns; is there any other way we could approach this that wouldn't be so global or could limit the impact? |
|
@kc13greiner in this case we have set In this case the workaround is still constrained by |
|
@eokoneyo @jloleysens ++ I see what you're getting at now - I'm still looking into it and discussing it with the team. |
jloleysens
added
ci:project-deploy-elasticsearch
| super( | ||
| // Check if the URL is remote | ||
| url.includes('://') && !url.startsWith(window.location.origin) && !url.startsWith('blob:') // to bootstrap the actual script to work around the same origin policy. | ||
| ? URL.createObjectURL( |
There was a problem hiding this comment.
Observation/nit: Im not sure how severe is, but I think this may have a small memory leak - seems low impact, just something to keep in mind!
eokoneyo
force-pushed
the
chore/fix-178448
branch
3 times, most recently
from
47a7092 to
7d42074
Compare
eokoneyo
force-pushed
the
chore/fix-178448
branch
from
a34a1fd to
97cf3c0
Compare
eokoneyo
force-pushed
the
chore/fix-178448
branch
from
97cf3c0 to
13a08f6
Compare
💚 Build Succeeded
Metrics [docs]Canvas Sharable Runtime
Page load bundle
Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @eokoneyo |
kibanamachine
added
v8.14.0
backport:skip
## Summary Fix #179058 Update the `transformRequest` function to create URLs that are callable from inside workers that don't share the same domain. Proposal is to to convert absolute path values to absolute URLs, e.g. `/my/path` => `https://my.origin/my/path`. - [x] Blocked by #178669 ## Test locally with CDN Easiest way to test is via the observability project built on this PR (see buildkite output), otherwise: - Build CDN assets (`node ./scripts/build.js --skip-docker-ubi --skip-docker-ubuntu --skip-docker-fips --skip-os-packages`) - Unpack the CDN assets `target/kibana-8.14.0-SNAPSHOT-cdn-assets.tar.gz` and serve them `npx http-server -p 1772 --cors --gzip --brotli`, remember to change the hash dir name to `XXXXXXXXXXXX` - Serve via different domain eg: ``` ## My test 127.0.0.1 my.cdn.test ``` - Configure Kibana to load assets `server.cdn.url: http://my.cdn.test` --------- Co-authored-by: Eyo Okon Eyo <eyo.eyo@elastic.co> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Summary
Closes #178448
Per the configuration in kibana, Monaco by default will attempt to load the specific worker for each language using the public path record defined on
window.__kbnPublicPath__see here but an error occurs whilst attempting to request the script at the url we expect it to be at because it doesn't exist there, as seen here;Ideally this works but with the current setup for CDN assets it doesn't map 1:1 to how the assets are expected, we should be copying from the directory
target_workersto match the same definition for building packages, similar to what we have here which is what this PR introduces.
The hypothesis above is verifiable by attempting to request the same resource on the same build of the deployment where the error is reported, with the
target_workerspath prepended, like so https://kibana.estccdn.com/552e8adcca05/bundles/kbn-monaco/target_workers/json.editor.worker.js we get the file.