Content-Security-Policy for embedded kibana dashboards

I'm having an application with kibana dashboards embedded in iframe. The application is proxied by Nginx, with an additional Apache front-end.
My goal is to come up with a CSP without unsafe-hashes, unsafe-inline, unsafe-eval, ...

I'm still using 6.7, and in this thread @jportner points out that unsafe-eval is required for that version.

I tried to follow the related issues, but couldn't find an answer to this question: what is the minimum version that allows kibana to work properly without the need of any unsafe-* source in CSP?

Thank you in advance,
Paolo Arosio

Apparently, it's been fixed with https://github.com/elastic/kibana/pull/124484 ...

Any possibility it's backported to 7?

Regards,
Paolo

Hello,

There won't be backports other than critical security fixes to previous releases in 7.x unfortunately.

Thanks,
Bhavya

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.