+16Hi.
We haven an App with a dashboard, and this dashboard has it's own subdomain like the app is hosted on app.domain.ext with a dashboard on dashboard.app.domain.ext.
I've added both URLS to Indicium allowed origins.. but it gets blocked by the way the frame is setup.
Refused to display 'https://dashboard.esm.app.br/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Any ideas on this?
CC:
Best answer by Dick van den Brink
This is not something that is because of Indicium (so changing the "allowed origins” won't have effect).
This is because your dashboard uri (https://dashboard.esm.app.br/) returns the X-Frame-Options header. The browser tries to load the url you provided for the previewer/iframe and blocks it because of this header.
This is not something that is because of Indicium (so changing the "allowed origins” won't have effect).
This is because your dashboard uri (https://dashboard.esm.app.br/) returns the X-Frame-Options header. The browser tries to load the url you provided for the previewer/iframe and blocks it because of this header.
+16This is not something that is because of Indicium (so changing the "allowed origins” won't have effect).
This is because your dashboard uri (https://dashboard.esm.app.br/) returns the X-Frame-Options header. The browser tries to load the url you provided for the previewer/iframe and blocks it because of this header.
Thanks for the tip.. I was able to do an override via the config to not set this header.. but however it still doesn't load, don't get the blocked message anymore, but the previewer stays empty.
<iframe data-testid="previewer__custom-screen-url" src="https://dashboard.esm.app.br/superset/dashboard/p/lr87LblDQkE/" sandbox="allow-scripts allow-same-origin allow-popups allow-popups-to-escape-sandbox" class="css-y1obzt"></iframe>Any suggestions no how to troubleshoot this?
+16This is not something that is because of Indicium (so changing the "allowed origins” won't have effect).
This is because your dashboard uri (https://dashboard.esm.app.br/) returns the X-Frame-Options header. The browser tries to load the url you provided for the previewer/iframe and blocks it because of this header.
Thanks for the tip.. I was able to do an override via the config to not set this header.. but however it still doesn't load, don't get the blocked message anymore, but the previewer stays empty.
<iframe data-testid="previewer__custom-screen-url" src="https://dashboard.esm.app.br/superset/dashboard/p/lr87LblDQkE/" sandbox="allow-scripts allow-same-origin allow-popups allow-popups-to-escape-sandbox" class="css-y1obzt"></iframe>Any suggestions no how to troubleshoot this?
For some reason, the header kept coming back.. I have resolved the issue for now by altering the reverse proxy with an additional statement. proxy_hide_header X-Frame-Options;
+6For some reason, the header kept coming back.. I have resolved the issue for now by altering the reverse proxy with an additional statement. proxy_hide_header X-Frame-Options;
Where exactly did you fix this? Indicium’s appsettings.json? I am currently having the exact same issue. I cannot even show a simple URL like ‘https://google.com’ 😅
Hi Marius,
This is not something that Indicium does - this is a header that in your case google.com is returning. So nothing you can do about it in Indicium’s appsettings.json.
So, you can only remove the header if you control the website you are trying to include in the previewer.
This is a security feature to prevent clickjacking, you can read more about it here: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-frame-options
+6Hi Marius,
This is not something that Indicium does - this is a header that in your case google.com is returning. So nothing you can do about it in Indicium’s appsettings.json.
So, you can only remove the header if you control the website you are trying to include in the previewer.
This is a security feature to prevent clickjacking, you can read more about it here: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-frame-options
I was afraid that that was the case. Is there any way to show external URLs (like google) in the preview component?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
