Kibana in iframe
Web browsers change the default behavior for cookies so that:
- Cookies without a
SameSiteattribute will be treated as
- Cookies for cross-site usage must specify
SameSite=None; Secureto include third party content.
It means that Kibana can’t be accessed via an iframe on a third party web site by default. The cookies at the Kibana side must be configured to add
SameSite=None; Secure attributes. It can’t be done now because Kibana is still using hapi v17 server. And hapi introduced
SameSite=None in v19.0.0 release. The related Kibana issue can be found here.
Good news! We provide a patch to make it work.
$ cd kibana/plugins/searchguard $ ./patches/patch_to_add_samesite_none_to_cookies.sh SGD-231/SGD-19 The patch makes it possible to work with Kibana which is embeded in an iframe on a third party website. Read more about SameSite=None: https://www.chromestatus.com/feature/5633521622188032 and https://web.dev/samesite-cookies-explained/ The following configuration of kibana.yml is required: searchguard: cookie: secure: true isSameSite: None Patched node_modules/hapi-auth-cookie/lib/index.js. The original file backup is in node_modules/hapi-auth-cookie/lib/index.js.bak Patched ../../node_modules/statehood/lib/index.js. The original file backup is in ../../node_modules/statehood/lib/index.js.bak
searchguard: cookie: secure: true isSameSite: None