Content Security Policy

ordidaad · August 6, 2019, 6:10am

Hi,
i keep getting content-security-policy error while loading kibana in browser, so i put
csp.strict: false in my kibana.yml file but problem still remains.
Should i use csp.rules ?

Kibana version 7.3.0
OS: Ubuntu 18
browser: Chrome, Firefox

i am intended to run kibana on subdomain.

exact error:

kibana:1 Refused to load the script 'https://mysub.domain.com/cdn-cgi/apps/head/tasLbO6euogGbCLLTEoh3C4FAnM.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'nonce-+ua1j/YIhocrsxxB'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

How can i fix this ?

christophilus · August 6, 2019, 3:18pm

Interesting. I can ping our security folks, but first, you say you intended to run Kibana on a subdomain. I'm assuming the subdomain of the failing script matches the subdomain that Kibana is hosted on?

ordidaad · August 7, 2019, 4:41am

@christophilus

Hi chris, yes, it is on a VM that my subdomain pointed to. in fact, this is on local machine with local ip address which is accessible by a load balancer from outside through subdomain.

system · September 4, 2019, 4:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana only working over local Kibana	5	1178	June 21, 2019
[ SOLVED] Adding custom csp rule on Elastic Cloud : 'csp.rules': is not allowed - Not possible yet Kibana	5	1722	May 15, 2020
Problem in integrating external script in Kibana Plugin Kibana	2	1416	February 6, 2020
Is unsafe-eval required for script-src in the content-security-policy for Kibana 6.7.1? Kibana	6	3582	May 15, 2020
The page’s settings blocked the loading of a resource at inline (“script-src”) Kibana	6	2797	April 14, 2020

Content Security Policy

Related topics