Hello Grafana Team,
I wanted to clarify few doubts related to the security issue mentioned in the blog https://grafana.com/blog/2023/10/10/how-to-embed-grafana-dashboards-into-web-applications/
As per the blog , in order to allow grafana accept embedding requests allow_embedding configuration has to be set, but this will make your server vulnerable to clickjacking attack. My question is, if this attack can be mitigated with the approach suggested in the following blog:
https://portswigger.net/web-security/cross-site-scripting/content-security-policy#protecting-against-clickjacking-using-csp. I think we can set CSP in grafana.ini
via content_security_policy_template.
My another question is related to another attack vector i.e. CSRF mentioned in the same grafana blog as above. Here I wanted to confirm , I have 2 different domains i.e. grafana is on different domain and site where grafana dashboard gets embedded is on different domain. In that case I don’t want cookies to be shared between them. So I would want to set cookie_samesite=strict and i hope the embed requests should still work without any CSRF concern. In the blog it is mentioned to set cookie_samesite=disabled, but what if there is no need to share the cookies in cross site requests.I was not able to find the answers via search, please redirect me to the correct page if this is already answered somewhere.