Inline script not firing due to content security policy - dashboard URL link no longer loading

smchamberlin · September 28, 2023, 10:12pm

After upgrading my version of kibana, I can no longer load a clickable hyperlink URL with parameters from my dashboard - it just loads indefinitely and throws exceptions.

This is the URL I want to load:
http://testserver.mydomain.com:5601/app/dashboards#/view/8afeb260-cf59-11ed-b98d-1da6fcdcbb72?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from%3Anow-2y%2Cto%3Anow))&_a=(filters:!((query:(match_phrase:(Scenario:CD62)))))

And these are the exceptions I'm seeing in Chrome developer tools?

The Cross-Origin-Opener-Policy header has been ignored, because the URL's origin was untrustworthy. It was defined either in the final response or a redirect. Please deliver the response using the HTTPS protocol. You can also use the 'localhost' origin instead. See https://www.w3.org/TR/powerful-features/#potentially-trustworthy-origin and https://html.spec.whatwg.org/#the-cross-origin-opener-policy-header.
dashboards#/view/8afeb260-cf59-11ed-b98d-1da6fcdcbb72?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-2y,to:now)):286 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-P5polb1UreUSOe5V/Pv7tc+yeZuJXiOi/3fqhGsU7BE='), or a nonce ('nonce-...') is required to enable inline execution.

bootstrap.js:42 ^ A single error about an inline script not firing due to content security policy is expected!
core.entry.js:1     GET http://testserver.mydomain.com:5601/api/exception_lists/items/_find?page=1&per_page=1&list_id=endpoint_host_isolation_exceptions&namespace_type=agnostic 403 (Forbidden)
fetchResponse @ core.entry.js:1
(anonymous) @ core.entry.js:1
await in (anonymous) (async)
(anonymous) @ core.entry.js:1
(anonymous) @ core.entry.js:1
find @ securitySolution.chunk.17.js:3
await in find (async)
hasData @ securitySolution.chunk.17.js:3
queryFn @ securitySolution.chunk.17.js:3
fetchFn @ kbn-ui-shared-deps-npm.dll.js:357
O @ kbn-ui-shared-deps-npm.dll.js:334
l @ kbn-ui-shared-deps-npm.dll.js:334
fetch @ kbn-ui-shared-deps-npm.dll.js:357
fetchQuery @ kbn-ui-shared-deps-npm.dll.js:350
a @ securitySolution.chunk.17.js:3
(anonymous) @ securitySolution.chunk.17.js:3
await in (anonymous) (async)
pe @ securitySolution.chunk.17.js:3
(anonymous) @ securitySolution.plugin.js:2
e.next @ kbn-ui-shared-deps-npm.dll.js:334
t._next @ kbn-ui-shared-deps-npm.dll.js:334
t.next @ kbn-ui-shared-deps-npm.dll.js:334
(anonymous) @ kbn-ui-shared-deps-npm.dll.js:334
s._next @ kbn-ui-shared-deps-npm.dll.js:6
t.next @ kbn-ui-shared-deps-npm.dll.js:334
(anonymous) @ kbn-ui-shared-deps-npm.dll.js:334
s._next @ kbn-ui-shared-deps-npm.dll.js:6
t.next @ kbn-ui-shared-deps-npm.dll.js:334
(anonymous) @ kbn-ui-shared-deps-npm.dll.js:272
e._trySubscribe @ kbn-ui-shared-deps-npm.dll.js:272
(anonymous) @ kbn-ui-shared-deps-npm.dll.js:272
i @ kbn-ui-shared-deps-npm.dll.js:334
e.subscribe @ kbn-ui-shared-deps-npm.dll.js:272
(anonymous) @ kbn-ui-shared-deps-npm.dll.js:334
e._trySubscribe @ kbn-ui-shared-deps-npm.dll.js:272
(anonymous) @ kbn-ui-shared-deps-npm.dll.js:272
i @ kbn-ui-shared-deps-npm.dll.js:334
e.subscribe @ kbn-ui-shared-deps-npm.dll.js:272
g @ kbn-ui-shared-deps-npm.dll.js:334
m @ kbn-ui-shared-deps-npm.dll.js:334
s._next @ kbn-ui-shared-deps-npm.dll.js:6
t.next @ kbn-ui-shared-deps-npm.dll.js:334
(anonymous) @ kbn-ui-shared-deps-npm.dll.js:272
e._trySubscribe @ kbn-ui-shared-deps-npm.dll.js:272
(anonymous) @ kbn-ui-shared-deps-npm.dll.js:272
i @ kbn-ui-shared-deps-npm.dll.js:334
e.subscribe @ kbn-ui-shared-deps-npm.dll.js:272
a @ kbn-ui-shared-deps-npm.dll.js:334
(anonymous) @ kbn-ui-shared-deps-npm.dll.js:329
(anonymous) @ kbn-ui-shared-deps-npm.dll.js:6
(anonymous) @ kbn-ui-shared-deps-npm.dll.js:272
i @ kbn-ui-shared-deps-npm.dll.js:334
e.subscribe @ kbn-ui-shared-deps-npm.dll.js:272
(anonymous) @ kbn-ui-shared-deps-npm.dll.js:334
b @ kbn-ui-shared-deps-npm.dll.js:334
u @ kbn-ui-shared-deps-npm.dll.js:334
(anonymous) @ kbn-ui-shared-deps-npm.dll.js:334
b @ kbn-ui-shared-deps-npm.dll.js:334
(anonymous) @ kbn-ui-shared-deps-npm.dll.js:334
(anonymous) @ kbn-ui-shared-deps-npm.dll.js:334
(anonymous) @ kbn-ui-shared-deps-npm.dll.js:6
(anonymous) @ kbn-ui-shared-deps-npm.dll.js:272
i @ kbn-ui-shared-deps-npm.dll.js:334
e.subscribe @ kbn-ui-shared-deps-npm.dll.js:272
registerAppLinks @ securitySolution.plugin.js:2
await in registerAppLinks (async)
start @ securitySolution.plugin.js:2
start @ core.entry.js:1
start @ core.entry.js:1
start @ core.entry.js:1
await in start (async)
Ji @ core.entry.js:1
await in Ji (async)
(anonymous) @ bootstrap.js:111
innerCb @ bootstrap.js:90
load (async)
loadScript @ bootstrap.js:80
(anonymous) @ bootstrap.js:99
load @ bootstrap.js:86
window.onload @ bootstrap.js:108
load (async)
(anonymous) @ bootstrap.js:47
securitySolution.chunk.17.js:3 Error: Forbidden
    at fetch_Fetch.fetchResponse (core.entry.js:1:279501)
    at async core.entry.js:1:277519
    at async core.entry.js:1:277476

Anyone know how I can address this? Thanks in advance!

jsanz · October 24, 2023, 5:19pm

@smchamberlin can you share from and to which versions of the stack you upgraded?

jsanz · October 24, 2023, 5:31pm

Related with the versions I was asking, a colleague shared with me some pull requests that fixed redirect issues in dashboards.

Fix alias redirect & update error handling fixed for 8.8.2 and 8.9.0
Fix Alias Redirect Race Condition fixed for 8.9.0 and 8.10.0
Fix missing state on short URL alias match redirect fixed for 8.9.2 and 8.10.0

Unfortunately, the browser exception code is not very helpful and the issue is not related with content security policies.

Hope this helps.

system · November 21, 2023, 5:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.