X-Frame-Options defaults setting prevents kibana from being embedded in an iFrame

Description

The rack webserver defined in logstash/kibana.rb uses protection defaults which sets the header "x-frame-options: SAMEORIGIN"

This prevents the logstash kibana interface to be embedded in other pages (we embed kibana screens on support pages / TVscreens etc..)

The following snippet fixes it for me, though there is further detail and a different implementation in a kibana2 issue: https://github.com/rashidkpc/Kibana/pull/112 - when it used to ship with its own webserver.

============================================
— orig/logstash/kibana.rb 2013-09-07 00:03:12.000000000 +0100
+++ mine/logstash/kibana.rb 2013-09-30 09:52:47.000000000 +0100
@@ -15,6 +15,7 @@
module LogStash::Kibana
class App < Sinatra::Base
set :logging, true
+ set rotection, :except => :frame_options

use Rack::CommonLogger
use Rack::ShowExceptions
============================================

$ curl -I http://logstash.internal/index.html
HTTP/1.1 200 OK
content-type: text/html;charset=utf-8
content-length: 2356
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN

Activity

Show:
Philippe Weber
March 2, 2015, 6:49 AM

Kibana integration will be completely removed from logstash 1.5 as kibana 4 should now be used.

Assignee

Philippe Weber

Reporter

elliot

Labels

Fix versions

Affects versions

Configure