Open weird-oecophylla opened 8 months ago
What kind of resources would you want to embed? Content security policies are important to so we are unlikely to allow blanket disabling of these features.
In my context:
I developped a web application fully interacting with graylog using its API.
I also developped a Graylog plugin which adds a webpage into graylog's interface. This webpage was supposed to integrate the webapp thanks to an iframe.
However, this iframe could not be loaded because of the CSP.
My web application is hosted on the same machine as my graylog instance and uses the same domain name (just using another port)
A allow_embedding_http parameter allowing any sources from the same domain would solve my issue.
@weird-oecophylla Thanks for the background. The best course of action is to make the CSP header configurable. We are unlikely to do work on this right now because we don't currently need this functionality, but if you are willing to contribute code, we'd be happy to work with you to get this merged.
A few pointers:
It would be nice to have the possibility to embed external tools inside Graylog. For now, graylog do not have any parameter to authorize external sources embedding.
Default security options like CSP introduced in 5.0 block any external source loading.
An option similar to the allow_embedding_http parameter would solve the problem.