Is unsafe-eval required for Kibana dashboard to work? Or only needed for certain functions in the Kibana dashboard?
We have the following menus/functions on the left hand side:
Discover
Visualize
Dashboard
Timelion
Alerting
Dev Tools
Management
Security
Usually, for 'default-src', 'script-src' and 'object-src', unsafe-eval is considered insecure and should be avoided... As banning the ability to execute strings makes it much more difficult for an attacker to execute unauthorized code on the site...
We are aware that Kibana's default Content-Security-Policy is not as strict as desired. Unfortunately, Kibana currently requires "unsafe-eval" to function. We do have an open enhancement issue on GitHub if you'd like to follow it for updates: https://github.com/elastic/kibana/issues/36311
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.