Content-Security-Policy for embedded kibana dashboards

I'm having an application with kibana dashboards embedded in iframe. The application is proxied by Nginx, with an additional Apache front-end.
My goal is to come up with a CSP without unsafe-hashes, unsafe-inline, unsafe-eval, ...

I'm still using 6.7, and in this thread @jportner points out that unsafe-eval is required for that version.

I tried to follow the related issues, but couldn't find an answer to this question: what is the minimum version that allows kibana to work properly without the need of any unsafe-* source in CSP?

Thank you in advance,
Paolo Arosio

Apparently, it's been fixed with https://github.com/elastic/kibana/pull/124484 ...

Any possibility it's backported to 7?

Regards,
Paolo

Hello,

There won't be backports other than critical security fixes to previous releases in 7.x unfortunately.

Thanks,
Bhavya