The problem of using iframe when developing a Kibana plugin that loads remote website

sunminxuan · August 5, 2019, 5:37pm

I am developing a Kibana plugin and named it test-3. This is the content of kibana/plugins/test_3/public/components/main/main.js:

import React from 'react';

export class Main extends React.Component {
  constructor(props) {
    super(props);
    this.state = {};
  }

  componentDidMount() {
    /*
       FOR EXAMPLE PURPOSES ONLY.  There are much better ways to
       manage state and update your UI than this.
    */
    const { httpClient } = this.props;
    httpClient.get('../api/test3/example').then((resp) => {
      this.setState({ time: resp.data.time });
    });
  }
  render() {
    const { title } = this.props;
    return (
        <iframe src="https://ai.query.ai"></iframe>
    );
  }
}

And i opened the Chrome and go to http://localhost:5601/vpr/app/test_3. It's failed to load https://ai.query.ai and giving error: Refused to frame 'https://ai.query.ai/' because it violates the following Content Security Policy directive: "child-src blob:". Note that 'frame-src' was not explicitly set, so 'child-src' is used as a fallback.:

.

I think the iframe is failed to use is because of the content security policy. I wonder what should i do to make iframe works in this scenario? Thanks!!

joshdover · August 5, 2019, 6:06pm

To make this work, you'll need to configure the Content Security Policy so that iframes for your domain are allowed. To do that, you'll need to add a section like the one below to your kibana.yml file to allow iframes from the https://ai.query.ai/ domain.

# kibana.yml
csp.rules:
  # current defaults
  - "script-src 'unsafe-eval' 'nonce-{nonce}'"
  - "worker-src blob'"
  - "child-src blob:"
  # New rule for iframes
  - "frame-src https://ai.query.ai/"

Note that modifying the CSP rules is not generally recommended and should be used at your own risk. This will allow code from ai.query.ai to run within the context of the logged in user, so be sure that this domain is one that you trust.

sunminxuan · August 5, 2019, 6:50pm

Thank you for your response, Joshdover, adding the sections in kibana.yml works for me. However, Is there any way to make it work by just editing the Kibana plugin code? Or in other words, how can we config content security policy only in kibana plugin code?

Since i am developing a kibana plugin and editing kibana.yml might not be a valid solution for me.

system · September 2, 2019, 6:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Is there any method to set content security policy only in Kibana plugin code? Kibana	2	3042	September 3, 2019
Dashboard embeded iframe CORS issue Kibana	3	1325	June 1, 2021
Please upgrade your browser This Kibana installation has strict security requirements enabled that your current browser does not meet Kibana	2	2306	October 6, 2022
Kibana Iframe Share Issue with Xframe and SameSite Cookie Kibana	5	718	February 11, 2023
Sharing Kibana Visualization Search as Iframe and running into Issues on Google Chrome Kibana	3	277	December 13, 2022

The problem of using iframe when developing a Kibana plugin that loads remote website

Related topics