Skip to main content

Hi. 

We haven an App with a dashboard, and this dashboard has it's own subdomain like the app is hosted on app.domain.ext  with a dashboard on dashboard.app.domain.ext.  

I've added both URLS to Indicium allowed origins..  but it gets blocked by the way the frame is setup. 

Refused to display 'https://dashboard.esm.app.br/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

Any ideas on this?

CC: @Yara 

This is not something that is because of Indicium (so changing the "allowed origins” won't have effect).

This is because your dashboard uri (https://dashboard.esm.app.br/) returns the X-Frame-Options header. The browser tries to load the url you provided for the previewer/iframe and blocks it because of this header.


This is not something that is because of Indicium (so changing the "allowed origins” won't have effect).

This is because your dashboard uri (https://dashboard.esm.app.br/) returns the X-Frame-Options header. The browser tries to load the url you provided for the previewer/iframe and blocks it because of this header.

Hi @Dick van den Brink

Thanks for the tip.. I was able to do an override via the config to not set this header.. but however it still doesn't load, don't get the blocked message anymore, but the previewer stays empty. 

<iframe data-testid="previewer__custom-screen-url" src="https://dashboard.esm.app.br/superset/dashboard/p/lr87LblDQkE/" sandbox="allow-scripts allow-same-origin allow-popups allow-popups-to-escape-sandbox" class="css-y1obzt"></iframe>

Any suggestions no how to troubleshoot this?


This is not something that is because of Indicium (so changing the "allowed origins” won't have effect).

This is because your dashboard uri (https://dashboard.esm.app.br/) returns the X-Frame-Options header. The browser tries to load the url you provided for the previewer/iframe and blocks it because of this header.

Hi @Dick van den Brink

Thanks for the tip.. I was able to do an override via the config to not set this header.. but however it still doesn't load, don't get the blocked message anymore, but the previewer stays empty. 

<iframe data-testid="previewer__custom-screen-url" src="https://dashboard.esm.app.br/superset/dashboard/p/lr87LblDQkE/" sandbox="allow-scripts allow-same-origin allow-popups allow-popups-to-escape-sandbox" class="css-y1obzt"></iframe>

Any suggestions no how to troubleshoot this?

 

For some reason, the header kept coming back.. I have resolved the issue for now by altering the reverse proxy with an additional statement. proxy_hide_header X-Frame-Options;

 

 


For some reason, the header kept coming back.. I have resolved the issue for now by altering the reverse proxy with an additional statement. proxy_hide_header X-Frame-Options;

Where exactly did you fix this? Indicium’s appsettings.json? I am currently having the exact same issue. I cannot even show a simple URL like ‘https://google.com’ 😅


Hi Marius, 

This is not something that Indicium does - this is a header that in your case google.com is returning. So nothing you can do about it in Indicium’s appsettings.json.

So, you can only remove the header if you control the website you are trying to include in the previewer.

This is a security feature to prevent clickjacking, you can read more about it here: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-frame-options

 


Hi Marius, 

This is not something that Indicium does - this is a header that in your case google.com is returning. So nothing you can do about it in Indicium’s appsettings.json.

So, you can only remove the header if you control the website you are trying to include in the previewer.

This is a security feature to prevent clickjacking, you can read more about it here: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-frame-options

 

I was afraid that that was the case. Is there any way to show external URLs (like google) in the preview component?