Kibana: Canvas "Add element" doesnt work when Kibana is behind NGINX with strict MIME type checking

Created on 15 Nov 2018  路  6Comments  路  Source: elastic/kibana

Kibana version:
6.5.0
Describe the bug:
When Kibana is behind NGINX reverse proxy and we have strict MIME type checking in place (add_header X-Content-Type-Options nosniff; header) canvas will not display any elements.
Chrome gives an error:

Refused to execute script from '<URL>' because its MIME type ('') is not executable, 
and strict MIME type checking is enabled.

Removing the header makes Canvas work again, I guess making the MIME type explicit would fix it.

Screenshots (if relevant):
screenshot 2018-11-15 at 14 11 10

Sample NGINX configuration

server {
        listen 443 ssl;
        server_name 0e6395c16cfb11934509421d009b1b1b.elasticdemos.xyz;

        ssl_certificate /etc/letsencrypt/live/elasticdemos.xyz/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/elasticdemos.xyz/privkey.pem;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header X-Frame-Options DENY;

       # this needs to be commented out in order to make canvas work behind nginx:
       add_header X-Content-Type-Options nosniff;


        ssl_dhparam /etc/ssl/certs/dhparam.pem;

        location  / {
                proxy_pass http://127.0.0.1:5601;
                proxy_http_version 1.1;
                proxy_buffering off;
                proxy_read_timeout 600;
                proxy_send_timeout 600;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host $host:$server_port;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forward-Proto https;
                proxy_set_header X-Nginx-Proxy true;

                proxy_redirect off;
        }
}
ExpressionLanguage AppServices bug needs-research
Source
picture ugosan

Most helpful comment

Not really. The rest of Kibana works just fine with strict MIME types enabled, Canvas is not behaving like the rest of Kibana in this sense.

picture ugosan on 19 Nov 2018
👍3

All 6 comments

Pinging @elastic/kibana-canvas

elasticmachine picture elasticmachine on 15 Nov 2018

@ugosan this strikes me as more of a system configuration issue than a Canvas one...

w33ble picture w33ble on 19 Nov 2018

Not really. The rest of Kibana works just fine with strict MIME types enabled, Canvas is not behaving like the rest of Kibana in this sense.

ugosan picture ugosan on 19 Nov 2018
👍3

@ugosan Did you find a workaround?

DanielLuu picture DanielLuu on 8 Jan 2019

Any update on this? Would be great to keep strict MIME types enabled

sejbot picture sejbot on 26 Feb 2019
👍1

@ppisljar - can you look into this and see if it will be an issue for flipping the expression toggle on? Sounds like it might cause a regression.

stacey-gammon picture stacey-gammon on 26 Mar 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

passkey1510 picture passkey1510  路  96Comments
hvisage picture hvisage  路  170Comments
JulienPalard picture JulienPalard  路  95Comments
TiNico22 picture TiNico22  路  87Comments
bquartier picture bquartier  路  79Comments