CSP errors when using an Kibana iframe

Running into CSP errors when using dashboard > share > embed > iframe. Copied the iframe to a local html file & pasted it there.

<html>
<body>
<iframe src="https://kibana.myurl:5601/app/dashboards#/view/fc6ea5f0-e3bf-11ea-84c0-073e1429eecc?embed=true&_g=(filters%3A!()%2CrefreshInterval%3A(pause%3A!t%2Cvalue%3A0)%2Ctime%3A(from%3Anow-15M%2Cto%3Anow))&show-top-menu=true&show-query-input=true&show-time-filter=true" frameBorder="0" height="750" width="1200"></iframe>
</body>
</html>

Resulting in:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-P5polb1UreUSOe5V/Pv7tc+yeZuJXiOi/3fqhGsU7BE='), or a nonce ('nonce-...') is required to enable inline execution.

When I try to login using working login it just loops back to show the same login screen.

Versions:
ElasticSearch 7.9.0
Kibana: 7.9.0

2 Likes

Hi,
As the message below it says - A single error about an inline script not firing due to content security policy is expected. This is unfortunate, and we have an issue open to fix this behavior. So I don't think this is related to your issue.
Users you are sharing this with must have Kibana access to view an embedded dashboard.

Have you managed to share any other dashboard? Do they all result in the same problem?

1 Like

Hi, thanks for getting back to me.

I only have 1 dashboard at the moment, just using the elastic (root) user to login to Kibana but keeps redirecting to itself

I managed to reproduce this, looking into it now

Do you have mutiple spaces defined?

And which browser are you using to access the shared dashboard?

Hello! I faced the same problem today. Kibana is loaded into the iframe, and constantly asks for a login-password, I enter the correct login-password, but does not let it into the interface and again requires input. The errors in the console are the same. I registered in kibana.yml - csp.rules: "frame-src http: // localhost: 8080" - it does not help. Tell me how to completely disable CSP for Kibana? I don't need CSP.
At the same time - if you open the link (which opens in an iframe) in a separate tab - everything works correctly

Hi, Chrome: Version 83.0.4103.61 (Official Build) (64-bit)

No spaces are setup, just the default one.

My Kibana is running in https, have to tried running in https rather than http on localhost?

Thanks for reporting this @Sharry_Stowell and @User4. We've been getting several reports of this issue. Before digging into this further, could I just ask you to confirm your Kibana version and browser version you're using?

Thanks for noticing this issue! The version of the Google Chrome browser is 83.0.4103.97. Kibana version v 7.8.0. In Firefox 76.0 (64-bit) has no problem, Kibana loads correctly

Sure:

Linux Chrome: Version 83.0.4103.61 (Official Build) (64-bit)
Elasticsearch 7.9.0
Kibana: 7.9.0

We've had a similar issue after the latest Chrome upgrade. The solution there was to set sameSiteCookies: None in kibana.yml and use https (otherwise Chrome won't respect the setting). This will work for Kibana versions 7.8.1 and above

But this other error was only affecting the latest Chrome - 84.0.4147.135 - which neither of you are using, so I'm not sure if this is the same issue or if the solution would help you.

Could you try this and let me know if the issue still persists?

1 Like

Thank you, I'll have a go :slight_smile:

Do you mean:
xpack.security.sameSiteCookies: None

1 Like

Yes, sorry for not making this more clear

1 Like

My version of the Google Chrome browser is 85.0.4183.83 (64-bit). Kibana version v 7.7.1.
I've included kibana dashboard into my external web application which I'm running locally and kibana is in cloud. A week before it was working perfectly. But from start of this week, I'm getting this error "A single error about an inline script not firing due to content security policy is expected" . Kindly help me out from this issue. Thanks in advance!!

Hi, as the message says - a single error is expected. That error message has been there for a while. If Kibana is loading fine, you shouldn't worry about that particular error message.

Still continuing with same problem as I mentioned above. Kibana cloud is working absolutely fine. But I couldn't access in my external application. Getting this below error. I couldn't get proper source of the problem and solution. Kindly help me out.

Have you tried the solution with sameSiteCookies: None and it still didn't work?