Is there any method to set content security policy only in Kibana plugin code?

Currently, I am developing a kibana plugin that uses iframe to load remote website. Here is the content of plugins/query_ai/public/components/main/main.js:

import React from 'react';

export class Main extends React.Component {
  constructor(props) {
    this.state = {};

  componentDidMount() {
       FOR EXAMPLE PURPOSES ONLY.  There are much better ways to
       manage state and update your UI than this.
    const { httpClient } = this.props;
  render() {
    const { title } = this.props;
    return (
      <iframe width="100%" height="100%" frameBorder="0" src="" />

However, the content security policy blocks the remote website

The error message is Refused to frame '' because it violates the following Content Security Policy directive: "child-src blob:". Note that 'frame-src' was not explicitly set, so 'child-src' is used as a fallback.

I wonder how to set content security policy in the Kibana plugin files so that the iframe can work as expected?

You can't configure this via your plugin, but the end-users of Kibana can configure it. In kibana.yml, they can specify the content-security-policy header, as documented here:

I think it would need to look something like this: csp.rules: "frame-src 'self'"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.