From 422f5705c0541b7f1fb55ec6b4bc9803f09718ad Mon Sep 17 00:00:00 2001
From: Elastic Jasper <elastic-jasper@users.noreply.github.com>
Date: Wed, 29 Jun 2016 13:14:33 -0400
Subject: [PATCH] Backport PR #7578 ---------
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

**Commit 1:**
[fix] Tests passing.

* Original sha: 41b06517d2f45ab767b02a3f81e80e8e745c01d5
* Authored by Nicolás Bevacqua <nicolasbevacqua@gmail.com> on 2016-06-29T14:52:19Z

**Commit 2:**
Revert "Revert "Merge pull request #7568 from bevacqua/hotfix/config-xss""

This reverts commit dda84e9920450c43e9f5e3367641f6462e15b936.

* Original sha: 4854f2d9673a1d1e8244338d8d82f29151fddad5
* Authored by Nicolás Bevacqua <nicolasbevacqua@gmail.com> on 2016-06-29T15:02:17Z
---
 src/ui/public/metadata.js | 18 +++++++++++-------
 src/ui/views/chrome.jade  |  6 +++---
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/src/ui/public/metadata.js b/src/ui/public/metadata.js
index 0b3897bb28e16..4ea263d9aab39 100644
--- a/src/ui/public/metadata.js
+++ b/src/ui/public/metadata.js
@@ -1,12 +1,7 @@
+import $ from 'jquery';
 import _ from 'lodash';
-// singleton for immutable copy of window.__KBN__
 
-if (!_.has(window, '__KBN__')) {
-  throw new Error('window.__KBN__ must be set for metadata');
-}
-
-const kbn = _.cloneDeep(window.__KBN__ || {});
-export default deepFreeze(kbn);
+export default deepFreeze(getState());
 
 function deepFreeze(object) {
   // for any properties that reference an object, makes sure that object is
@@ -20,3 +15,12 @@ function deepFreeze(object) {
 
   return Object.freeze(object);
 }
+
+function getState() {
+  const stateKey = '__KBN__';
+  if (!(stateKey in window)) {
+    const state = $('kbn-initial-state').attr('data');
+    window[stateKey] = JSON.parse(state);
+  }
+  return window[stateKey];
+}
diff --git a/src/ui/views/chrome.jade b/src/ui/views/chrome.jade
index 646b9bd329a45..45f42d1086a07 100644
--- a/src/ui/views/chrome.jade
+++ b/src/ui/views/chrome.jade
@@ -1,5 +1,5 @@
-- var j = function (o) { return JSON.stringify(o); }
-- var appName = 'kibana';
+-
+  var appName = 'kibana';
 
 block vars
 
@@ -12,5 +12,5 @@ html(lang='en')
     title Kibana
     block head
   body(kbn-chrome, id='#{appName}-body')
-    script window.__KBN__ = !{j(kibanaPayload)};
+    kbn-initial-state(data=JSON.stringify(kibanaPayload))
     block content