Is unsafe-eval required for script-src in the content-security-policy for Kibana 6.7.1?

When loading the Kibana dashboard home page, unsafe-eval shows up for script-src:

content-security-policy: script-src 'unsafe-eval' 'self'

Is unsafe-eval required for Kibana dashboard to work? Or only needed for certain functions in the Kibana dashboard?

We have the following menus/functions on the left hand side:

  • Discover
  • Visualize
  • Dashboard
  • Timelion
  • Alerting
  • Dev Tools
  • Management
  • Security

Usually, for 'default-src', 'script-src' and 'object-src', unsafe-eval is considered insecure and should be avoided... As banning the ability to execute strings makes it much more difficult for an attacker to execute unauthorized code on the site...

Hi @cjin62,

Welcome to our community! Please check if this is the issue you are seeing or if it is something else:

Thanks!
Liza

Hi @LizaD - Thank you for the quick reply. I already reviewed that post before I raised my question - it unfortunately does not address my question.

What I'd like to do is to set the csp.rules parameter in the kibana.yml file to no longer have unsafe-eval for script-src - to make it more secure:

https://www.elastic.co/guide/en/kibana/6.7/settings.html

However, I do not know whether removing unsafe-eval from script-src will cause any issues with the list of Kibana functions below:

  • Discover
  • Visualize
  • Dashboard
  • Timelion
  • Alerting
  • Dev Tools
  • Management
  • Security

Thanks @cjin62,

Let me check with one of security experts to see if they can help.

@jportner can you help answer this?

Hi @cjin62,

We are aware that Kibana's default Content-Security-Policy is not as strict as desired. Unfortunately, Kibana currently requires "unsafe-eval" to function. We do have an open enhancement issue on GitHub if you'd like to follow it for updates: https://github.com/elastic/kibana/issues/36311

Best,
-Joe

1 Like

Thank you for the info Joe. I have subscribed to that issue now.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.