Tianle Huang

Just curious whether the "out of box" way is to make it a native feature under `src/` instead of `plugins/`

For "All other tests will be", currently there is no concrete plan for it. The team could gradually build the development velocity by migrating a few tests first. We also...

The doc issue for dynamic CSP has been merged. https://github.com/opensearch-project/documentation-website/issues/6139

My related change is for mitigating Clickjacking vulnerability, specifically the directive `frame-ancestors` in CSP rules. The current issue by @gupta-mayank is about the directives `script-src` and `style-src` in CSP rules....

> @tianleh the solution for CSP should be supported without additional effort according to your current design which is to set the whole CSP policy that include the iframe related...

> "We have also explored the possibility of using 'nonce' with 'strict-dynamic' directives but looks like opensearch dashboards does not give any options/configurations to enable this." `csp.rules` in OSD YML...

> @tianleh ,is there a way to turn on the nonce attributes for all the script and style elements that get loaded when the dashboards is initialized on the browser?...

> @tianleh , could you please let me know if you had the opportunity to check on this? Have been busy with 2.13.0 release recently with code freeze date 3/19/2024....

1. The nonce syntax has been deprecated. See the code reference https://github.com/opensearch-project/OpenSearch-Dashboards/blame/27d73ab263a1663f90981d816ac77fb7660553d3/src/core/server/config/deprecation/core_deprecations.ts#L91 2. The key problem is that OSD will fail to load if you remove them. See the comment...

One document PR to update the instructions to configure CSP rules. https://github.com/opensearch-project/documentation-website/pull/7026