Embed Kibana Dashboard via IFrame / csp config

ksremo · December 7, 2021, 2:20pm

hi i want a third webserver to embed a dashboard via iframe, but default csp config denied it.
what i tried so far in the kibana.yml
xpack.security.sameSiteCookies: None
xpack.security.secureCookies: true
csp.strict: false
server.securityResponseHeaders.disableEmbedding: false
csp.rules: ["default-src *"]
#csp.rules: ["default-src https://urlthatembeds.local/"]
#server.customResponseHeaders: {"x-frame-options":"allow-from https://urlthatembeds.local/ "}
server.customResponseHeaders: {"x-frame-options":"allow-from *"}

But it seems that always "x-frame-options: SAMEORIGIN" is sent (but also the custom header)

how to allow these iframes?

azasypkin · December 16, 2021, 1:50pm

What exact error do you observe? Do you see the same behavior in different browsers (e.g. Firefox vs Chrome)?

ksremo · December 16, 2021, 2:09pm

i could solve the problem.
problem was the nginx reverse proxy in front of kibana. he adds "x-frame-options: SAMEORIGIN" header.

azasypkin · December 16, 2021, 2:13pm

Ah, nice, thanks for sharing!

system · January 13, 2022, 2:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.