Can you clarify this? If you're using the Apache-2.0 licensed version of Kibana, then your installation doesn't have the concept of a User, Role, or Space. These are all free features available with the "Default Distribution", which is granted under the Elastic License.
Do you see the "Space Avatar" at the top of Kibana?
If so, then you're running the Default Distribution, rather than the Open Source Distribution.
server.cors: true should be sufficient to allow browsers to honor cross-origin requests. Setting
server.xsrf.disableProtections: true should be sufficient to tell Kibana that you don't wish to protect the installation from cross-site request forgery. This should be a short-term solution, until we get it working. Then, we can move to the whitelist that you attempted earlier.