You should be able to configure the CORS settings via the server.cors setting in kibana.yml, which will be forwarded to hapijs. For the valid values of that setting, please see the CORS-related settings in the hapi route options documentation. It would roughly look like this, but please check the linked documentation for specifics that might apply to your deployment environment:
server.cors:
origin: ['YOUR', 'ORIGINS', 'HERE']
credentials: true