-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Defend against undesired forms of iframe embedding #8519
Comments
Is there a way to add |
@savva-k there isn't a supported method to configure this in Kibana, but putting a proxy like nginx in front of Kibana and adding the header there is always a supported option. |
Ping @elastic/kibana-security since we weren't automatically mentioned on this older issue. |
This issue has been open since 2016, and there doesn't appear to be a strong interest at this time. I'm going to close for the time being, but we can reopen if priorities change. Administrators can control whether or not they wish for Kibana as a whole to be embeddable via |
A desire for reimplementing the
X-Frame-Options
header has popped up, but as it conflicts with the embed/share features I was thinking about ways Kibana could be more defensive against undesired forms of iframe embedding.This way, we can have cross-domain iframe sharing of visualizations and dashboard, but if someone tries to embed the user-management app in an iframe it won't work.
The text was updated successfully, but these errors were encountered: