Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Defend against undesired forms of iframe embedding #8519

Closed
spalger opened this issue Oct 3, 2016 · 5 comments
Closed

Defend against undesired forms of iframe embedding #8519

spalger opened this issue Oct 3, 2016 · 5 comments
Labels
enhancement New value added to drive a business result Feature:Embedding Embedding content via iFrame impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:small Small Level of Effort Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! Team:Visualizations Visualization editors, elastic-charts and infrastructure

Comments

@spalger
Copy link
Contributor

spalger commented Oct 3, 2016

A desire for reimplementing the X-Frame-Options header has popped up, but as it conflicts with the embed/share features I was thinking about ways Kibana could be more defensive against undesired forms of iframe embedding.

  1. What if Kibana could automatically go into "embed mode" anytime it is rendered within an iframe. The method for determining this would have to be researched, but it's got to be possible.
  2. routes that support embed mode would need to be marked as such, and any other route would instead render a "this route does not work in embed mode" message, offering a link to the url that is instructed to open in the top-level window

This way, we can have cross-domain iframe sharing of visualizations and dashboard, but if someone tries to embed the user-management app in an iframe it won't work.

@spalger spalger added the discuss label Oct 3, 2016
@tbragin tbragin added Feature:Embedding Embedding content via iFrame :Sharing labels Nov 9, 2016
@epixa epixa removed the v5.1.0 label Nov 30, 2016
@epixa epixa removed the P2 label Apr 25, 2017
@savva-k
Copy link

savva-k commented Jul 20, 2017

Is there a way to add X-Frame-Options to Kibana app now? I'm trying to fit in our security policy and need to have this header set.

@spalger
Copy link
Contributor Author

spalger commented Jul 20, 2017

@savva-k there isn't a supported method to configure this in Kibana, but putting a proxy like nginx in front of Kibana and adding the header there is always a supported option.

@epixa
Copy link
Contributor

epixa commented Jul 21, 2017

@savva-k I just merged in the ability to set custom response headers for the Kibana server, which you could use to set an x-frame-options header. The PR was #13045

It should go out in 6.0.0-beta1 and 5.6.0

@stacey-gammon stacey-gammon added the Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! label May 31, 2018
@timroes timroes added Team:Visualizations Visualization editors, elastic-charts and infrastructure and removed :Sharing labels Sep 14, 2018
@kobelb kobelb added enhancement New value added to drive a business result and removed release_note:enhancement labels Jan 14, 2020
@legrego
Copy link
Member

legrego commented Jul 22, 2021

Ping @elastic/kibana-security since we weren't automatically mentioned on this older issue.
We have first-class support to enable/disable embedding across all of Kibana, but this issue is discussing whether we'd want to allow applications/routes to opt in/out of embedding

@exalate-issue-sync exalate-issue-sync bot added impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:small Small Level of Effort labels Sep 29, 2021
@legrego
Copy link
Member

legrego commented Aug 11, 2022

This issue has been open since 2016, and there doesn't appear to be a strong interest at this time. I'm going to close for the time being, but we can reopen if priorities change.

Administrators can control whether or not they wish for Kibana as a whole to be embeddable via server.securityResponseHeaders.disableEmbedding, which was added via #97158 in 7.13.0. X-Frame-Options has also been an option since 5.6.0. These options aren't as flexible as the original request, but they are sufficient for the time being.

@legrego legrego closed this as not planned Won't fix, can't repro, duplicate, stale Aug 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New value added to drive a business result Feature:Embedding Embedding content via iFrame impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:small Small Level of Effort Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! Team:Visualizations Visualization editors, elastic-charts and infrastructure
Projects
None yet
Development

No branches or pull requests

8 participants