Is unsafe-eval required for script-src in the content-security-policy for Kibana 6.7.1?

Elastic Stack Kibana
1

When loading the Kibana dashboard home page, unsafe-eval shows up for script-src:

content-security-policy: script-src 'unsafe-eval' 'self'

Is unsafe-eval required for Kibana dashboard to work? Or only needed for certain functions in the Kibana dashboard?

We have the following menus/functions on the left hand side:

  • Discover
  • Visualize
  • Dashboard
  • Timelion
  • Alerting
  • Dev Tools
  • Management
  • Security

Usually, for 'default-src', 'script-src' and 'object-src', unsafe-eval is considered insecure and should be avoided... As banning the ability to execute strings makes it much more difficult for an attacker to execute unauthorized code on the site...

2

Hi @cjin62,

Welcome to our community! Please check if this is the issue you are seeing or if it is something else:

Thanks!
Liza

3

Hi @LizaD - Thank you for the quick reply. I already reviewed that post before I raised my question - it unfortunately does not address my question.

What I'd like to do is to set the csp.rules parameter in the kibana.yml file to no longer have unsafe-eval for script-src - to make it more secure:

https://www.elastic.co/guide/en/kibana/6.7/settings.html

However, I do not know whether removing unsafe-eval from script-src will cause any issues with the list of Kibana functions below:

  • Discover
  • Visualize
  • Dashboard
  • Timelion
  • Alerting
  • Dev Tools
  • Management
  • Security
4

Thanks @cjin62,

Let me check with one of security experts to see if they can help.

@jportner can you help answer this?

5

Hi @cjin62,

We are aware that Kibana's default Content-Security-Policy is not as strict as desired. Unfortunately, Kibana currently requires "unsafe-eval" to function. We do have an open enhancement issue on GitHub if you'd like to follow it for updates: https://github.com/elastic/kibana/issues/36311

Best,
-Joe

1 Like
6

Thank you for the info Joe. I have subscribed to that issue now.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.