Version: 7.x-47.0.0
Community
Kibana in iframe
Content
Web browsers change the default behavior for cookies so that:
- Cookies without a
SameSite
attribute will be treated asSameSite=Lax
. - Cookies for cross-site usage must specify
SameSite=None; Secure
to include third party content.
It means that Kibana can’t be accessed via an iframe on a third party web site by default. The cookies at the Kibana side must be configured to add SameSite=None; Secure
attributes. It can’t be done now because Kibana is still using hapi v17 server. And hapi introduced SameSite=None
in v19.0.0 release. The related Kibana issue can be found here.
Good news! We provide a patch to make it work.
Patch
$ cd kibana/plugins/searchguard
$ ./patches/patch_to_add_samesite_none_to_cookies.sh
SGD-231/SGD-19 The patch makes it possible to work with Kibana which is embeded in an iframe on a third party website.
Read more about SameSite=None: https://www.chromestatus.com/feature/5633521622188032 and https://web.dev/samesite-cookies-explained/
The following configuration of kibana.yml is required:
searchguard:
cookie:
secure: true
isSameSite: None
Patched node_modules/hapi-auth-cookie/lib/index.js. The original file backup is in node_modules/hapi-auth-cookie/lib/index.js.bak
Patched ../../node_modules/statehood/lib/index.js. The original file backup is in ../../node_modules/statehood/lib/index.js.bak
Kibana configuration
kibana.yml
searchguard:
cookie:
secure: true
isSameSite: None
References
Reject insecure SameSite=None cookies
Temporarily rolling back SameSite Cookie Changes