I'm having an application with kibana dashboards embedded in iframe. The application is proxied by Nginx, with an additional Apache front-end.
My goal is to come up with a CSP without unsafe-hashes, unsafe-inline, unsafe-eval, ...
I'm still using 6.7, and in this thread @jportner points out that unsafe-eval is required for that version.
I tried to follow the related issues, but couldn't find an answer to this question: what is the minimum version that allows kibana to work properly without the need of any unsafe-* source in CSP?
Thank you in advance,
Paolo Arosio