Configure Dashboards Trusted Domains List
The Dashboards Trusted Domains List is a list of authorized domains and URLs that aid the management of external content. For example, external images without a domain or URL specified in the list will not render in the dashboard. To permit external content, you can add the content's domain or URL to the list. You can turn off the enforcement of the domain list by configuring your web-features.conf file.
Create or edit a local web-features.conf file
The following are prerequisites for editing configuration files:
- You must be a user with file system access. For example, a system administrator can edit configuration files.
- You must understand how the configuration system works across your deployment, including where to make the changes safely.
For steps on how to safely create or edit a configuration file, see Customize a configuration file.
Add the Dashboards Trusted Domains List to the web-features.conf file
Use the REST API to update the web-features.conf setting. Updates to web-features.conf are replicated across search heads and don't require a restart.
You must add your domain names under the system level local file. The following steps create a Dashboards Trusted Domains List:
- Write your initial REST command. The command uses the following structure:
https://<host>:<mPort>/servicesNS/nobody/system/web-features/feature:dashboards_csp
. For example, your REST command might look like the following:curl -k -u admin:password https://localhost:8089/servicesNS/nobody/system/web-features/feature:dashboards_csp
- Add the domains to the Dashboards Trusted Domains List. The setting name in your command must follow this format:
dashboards_trusted_domain.<label name>
. You must use unique label names for each URL. Using the same label name will overwrite any previously attached URL. Your command might look like the following:-d dashboards_trusted_domain.exampleLabel=https://example.com
Remove a domain
To remove a domain with the API, use the same label name and attach it with an empty string. The empty string will overwrite the previous domain URL.
To remove a domain without the API, you can edit the file manually. For more details, see How to edit a configuration file.
Example of configured dashboards_trusted_domains settings
Add authorized domains and URLs to the web-features.conf file, instead of the previously used web.conf file.
If you want to troubleshoot the Dashboards Trusted Domains List or add to the list directly, you can add authorized domains and URLs to the [feature:dashboards_csp] stanza in the web-features.conf file. Each setting will start with the syntax dashboards_trusted_domain.
followed by the domain or URL name.
Domain and URL names can be specific or use an asterisk wildcard. The asterisk wildcard must be the leftmost domain in the domain name system. Asterisk wildcards in the middle or end of a domain name system do not work. For example, the domain name *.buttercup-games.com
loads content from any subdomain under buttercup-games.com
. The domain name www.*.buttercup-games.com
is invalid.
The following is an example of configured dashboards_trusted_domains settings.
[feature:dashboards_csp] dashboards_trusted_domain.everything=*.buttercup-games.com dashboards_trusted_domain.example=example.buttercup-games.com
Subdomains allowed by default
The Dashboards Trusted Domains List (DTDL) allows select subdomains by default without adding the domains to the DTDL. Additionally, the subdomains do not trigger the content warning modals. The subdomains are part of an internal Splunk software list that is not visible to users.
The following lists the subdomains allowed by default:
- apps.splunk.com
- dev.splunk.com
- docs.flowmill.com
- docs.splunk.com
- help.rigor.com
- help.victorops.com
- lantern.splunk.com
- splunkbase.com
- splunkbase.splunk.com
- splunkui.splunk.com
- splunk.com/download
- splunk.com/products
External content and redirection feature settings
Do not set the feature settings to false. Turning the feature settings to false removes safeguards for external content and external redirection modals.
Dashboard Studio and Classic SimpleXML dashboards use feature settings in web-features.conf to turn the enforcement of the Dashboards Trusted Domains List on and off.
Enable_dashboards_external_content_restriction
is true by default and shows the external content warning if a domain or URL is not in the Dashboards Trusted Domains List.
Enable_dashboards_redirection_restriction
is true by default and shows the redirection warning modal if a domain or URL is not in the Dashboards Trusted Domains List.
The following is an example of configured external content and redirection feature settings set to true:
[feature:dashboards_csp] enable_dashboards_external_content_restriction=true enable_dashboards_redirection_restriction=true
Dashboard Studio dashboards
The warning modals for Dashboard Studio dashboards differ in how they handle external or redirection content. Both modals have configurable feature settings that default to true for enablement.
External content warning modal
Dashboard Studio dashboards that attempt to load external content not listed in the Trusted Domains List receive an error message and the content doesn't load.
To avoid the error, you can do one of the following:
- Add the domain or URL to the Dashboards Trusted Domains List.
- Upload external content to your app directory and reference the content locally.
- Upload images directly with the Dashboard Studio UI. For more details, see Add an image.
Redirection content warning modal
Dashboard Studio dashboards that attempt to redirect to external content not listed in the Trusted Domains List receives a warning message confirming that you want to leave the Splunk Platform.
To avoid the warning modal, you can add the domain or URL to the Dashboards Trusted Domains List.
Classic SimpleXML dashboards
The warning modals for Classic SimpleXML dashboards differ in how they handle external or redirection content. Both modals have configurable feature settings that default to true for enablement.
External content warning modal
When viewing SimpleXML dashboards that attempt to load external content, a warning modal prompts the following:
- Load content by acknowledging the external domain or URL is trusted.
- Not load content by selecting Cancel because the external domain or URL is not trusted.
To avoid the warning modal, you can do one of the following:
- Add the domain or URL to the Dashboards Trusted Domains List.
- Upload external content to your app directory and reference the content locally.
Tags that load external content
The warning modal checks HTML tags that load external content. The following is a list of HTML tags in SimpleXML that load external content:
- applet
- audio
- base
- embed
- form
- frame
- iframe
- img
- object
- script
- style
- track
- video
Redirection content warning modal
The redirection content warning modal applies to any links in HTML tags or custom URLs. When viewing Classic SimpleXML dashboards that attempt to redirect to external content, a warning modal prompts the following:
- Redirect to the content by acknowledging the external domain or URL is trusted.
- Not redirect to the content by selecting Cancel because the external domain or URL is not trusted.
Tags that load external content
The warning modal checks HTML tags that redirect to external content. The following is a list of HTML tags in SimpleXML that redirect to external content:
- a
- link
Splunk Enterprise summary dashboard | Customize Splunk Web messages |
This documentation applies to the following versions of Splunk® Enterprise: 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1
Feedback submitted, thanks!