Content-Security-Policy for embedded kibana dashboards

parosio · May 24, 2022, 7:54am

I'm having an application with kibana dashboards embedded in iframe. The application is proxied by Nginx, with an additional Apache front-end.
My goal is to come up with a CSP without unsafe-hashes, unsafe-inline, unsafe-eval, ...

I'm still using 6.7, and in this thread @jportner points out that unsafe-eval is required for that version.

I tried to follow the related issues, but couldn't find an answer to this question: what is the minimum version that allows kibana to work properly without the need of any unsafe-* source in CSP?

Thank you in advance,
Paolo Arosio

parosio · June 17, 2022, 9:12am

Apparently, it's been fixed with https://github.com/elastic/kibana/pull/124484 ...

Any possibility it's backported to 7?

Regards,
Paolo

bhavyarm · June 17, 2022, 7:18pm

Hello,

There won't be backports other than critical security fixes to previous releases in 7.x unfortunately.

Thanks,
Bhavya

system · July 15, 2022, 7:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
CSP errors when using an Kibana iframe Kibana	20	11143	October 5, 2020
Integration of Kibana dashboard in angular application Kibana	3	572	December 24, 2020
Embed Kibana Dashboard via IFrame / csp config Kibana	4	1461	January 13, 2022
Does Kibana need the autorisation of 'unsafe-inline' or 'unsafe-eval' to work properly Kibana	3	2274	June 25, 2020
Is unsafe-eval required for script-src in the content-security-policy for Kibana 6.7.1? Kibana	6	3512	May 15, 2020

Content-Security-Policy for embedded kibana dashboards

Related topics