CSP in Kibana

Alder · September 10, 2020, 10:54am

Hello to all of the elastic team.

I'm trying create a space with the C# code below. The http response suggests that CSP rules are blocking my request

    private void testCreateSpace()
    {
        string spaceJson = "{\"id\": \"alder_id\",\"name\": \"Alder\",\"description\" : \"Teste de criação de space Alder\"}";

        using (var wb = new WebClient())
        {
            wb.Headers.Add("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36");
            wb.Headers.Add("username","elastic");
            wb.Headers.Add("password", "passtest");
            var response = wb.UploadString("http://win-5jrakspu4gn:5601/api/spaces/space", "POST", spaceJson);

            Console.WriteLine(response);
        }
    }

I tried the settings on kibana.yml but not successful, the blocking continues

csp.strict: false

Version Kibana 7.8.1
Version Elastic 7.8.1

Att,
Alder

flash1293 · September 10, 2020, 10:59am

Can you show the exact error you are running into? In general, CSP rules are enforced on the client, so you should be able to resolve this in your C# code.

Alder · September 10, 2020, 11:28am

Thanks for the quick reply
The response is very long, follow just end of it.

<div class="kbnWelcomeText" data-error-message="Elastic did not load properly. Check the server output for more information.">Loading Elastic</div><div class="kbnProgress"></div></div></div><div class="kbnWelcomeView" id="kbn_legacy_browser_error" style="display:none"><svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" 

...

 Z"></path></g></svg><h2 class="kbnWelcomeTitle">Please upgrade your browser</h2><div class="kbnWelcomeText">This Elastic installation has strict security requirements enabled that your current browser does not meet.</div></div><script>
            // Since this is an unsafe inline script, this code will not run
            // in browsers that support content security policy(CSP). This is
            // intentional as we check for the existence of __kbnCspNotEnforced__ in
            // bootstrap.
            window.__kbnCspNotEnforced__ = true;
          </script><script src="/bundles/app/core/bootstrap.js"></script></body></html>

Alder · September 10, 2020, 2:07pm

I found the error, the kbn-xsrf header was not set.
Authentication was enabled and masked the principal error
Thanks for the answers, helped me to solve the problem

system · October 8, 2020, 2:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.