Version: 7.x-41.0.0
This is an older version of Search Guard. Switch to Latest version
This is an older version of Search Guard. Switch to Latest version
Community
Kibana in iframe
Content
Web browsers change the default behavior for cookies so that:
- Cookies without a
SameSite
attribute will be treated asSameSite=Lax
. - Cookies for cross-site usage must specify
SameSite=None; Secure
to include third party content.
It means that Kibana can’t be accessed via an iframe on a third party web site by default. The cookies at the Kibana side must be configured to add SameSite=None; Secure
attributes. It can’t be done now because Kibana is still using hapi v17 server. And hapi introduced SameSite=None
in v19.0.0 release. The related Kibana issue can be found here.
Good news! We provide a patch to make it work.
Patch
$ cd kibana/plugins/searchguard
$ ./patches/patch_to_add_samesite_none_to_cookies.sh
SGD-231/SGD-19 The patch makes it possible to work with Kibana which is embeded in an iframe on a third party website.
Read more about SameSite=None: https://www.chromestatus.com/feature/5633521622188032 and https://web.dev/samesite-cookies-explained/
The following configuration of kibana.yml is required:
searchguard:
cookie:
secure: true
isSameSite: None
Patched node_modules/hapi-auth-cookie/lib/index.js. The original file backup is in node_modules/hapi-auth-cookie/lib/index.js.bak
Patched ../../node_modules/statehood/lib/index.js. The original file backup is in ../../node_modules/statehood/lib/index.js.bak
Kibana configuration
kibana.yml
searchguard:
cookie:
secure: true
isSameSite: None
References
Reject insecure SameSite=None cookies
Temporarily rolling back SameSite Cookie Changes