Version: 7.x-41.0.0
Community

Kibana in iframe

Web browsers change the default behavior for cookies so that:

  • Cookies without a SameSite attribute will be treated as SameSite=Lax.
  • Cookies for cross-site usage must specify SameSite=None; Secure to include third party content.

It means that Kibana can’t be accessed via an iframe on a third party web site by default. The cookies at the Kibana side must be configured to add SameSite=None; Secure attributes. It can’t be done now because Kibana is still using hapi v17 server. And hapi introduced SameSite=None in v19.0.0 release. The related Kibana issue can be found here.

Good news! We provide a patch to make it work.

Patch

$ cd kibana/plugins/searchguard
$ ./patches/patch_to_add_samesite_none_to_cookies.sh

SGD-231/SGD-19 The patch makes it possible to work with Kibana which is embeded in an iframe on a third party website.
Read more about SameSite=None: https://www.chromestatus.com/feature/5633521622188032 and https://web.dev/samesite-cookies-explained/

The following configuration of kibana.yml is required:
searchguard:
 cookie:
  secure: true
  isSameSite: None

Patched node_modules/hapi-auth-cookie/lib/index.js. The original file backup is in node_modules/hapi-auth-cookie/lib/index.js.bak
Patched ../../node_modules/statehood/lib/index.js. The original file backup is in ../../node_modules/statehood/lib/index.js.bak

Kibana configuration

kibana.yml

searchguard:
 cookie:
  secure: true
  isSameSite: None

References

Reject insecure SameSite=None cookies

Temporarily rolling back SameSite Cookie Changes

SameSite cookies explained

Incrementally Better Cookies


Not what you were looking for? Try the search.