Does Kibana need the autorisation of 'unsafe-inline' or 'unsafe-eval' to work properly

Hi,

we are using ELK stack under version.

After a scan of our domain on mozilla observatory, the mozilla tool showed us some Recommendation to make the security of our domain better.

So we set int our front (Apache HTTPD 2.4) the Content Security Policy (CSP) to : script-src 'self'; manifest-src 'self' ; style-src 'self'.

Kibana is running behind Apache. By doing this modification, the Kibana is broken because kibana is executing some inline javascript:

"Something went wrong ....
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".

image1645×560 32.5 KB

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' . Either the 'unsafe-inline' keyword, a hash ('sha256-9eqTA9rNfDQK1402M6lNw3aW9MsK4p4IfCLxlVEbKkE='), or a nonce ('nonce-...') is required to enable inline execution

My question is, are we forced to be less restrictive on our Apache by permit execution of inline CSS et Javascript to make Kibana work, and does Kibana really need that?

Is there a way to make the whole work by configuring kibana ?

Best regards,

Hey @Otmane_Faouzi,

Kibana currently requires these unsafe-* CSP declarations, but this is something we are trying to improve. Kibana has a number of dependencies which rely on these "unsafe" language features, so we are stuck having to support these for the time being. We have a number of issues where we are tracking CSP enhancements:

• https://github.com/elastic/kibana/issues/36311
• https://github.com/elastic/kibana/issues/27047
• https://github.com/elastic/kibana/issues/56996

Ok, thanks a lot Larry for you quick answer.

regards,
Otmane.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.