Unable to embed page using iFrame – Same Origin error - Technical queries

link管理

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

相关文章推荐

小胡子的日光灯 · MSAL.NET redirect ...· 3 周前 ·

一直单身的台灯 · 第三轮国家集采精神类药物品种显著增加-南都数字报· 7 月前 ·

大力的枕头 · 中山首个“制储加”一体化加氢站试运营，首批本 ...· 9 月前 ·

酒量小的红薯 · Google Research - ...· 1 年前 ·

稳重的蟠桃 · 父子博弈升级:万洲国际官方回应五大质疑 ...· 1 年前 ·

眉毛粗的匕首 · java获取request中的参数、java ...· 1 年前 ·

Hello Helical Team,

I am embedding my Helical Insight into my website using iFrame. The code is as below:

<iframe src=”https://dashboard.myurl.com/hi-ee” />

However, I am getting an error: Unable to load page.

In the console I am seeing the error: Refused to display ‘ https://dashboard.myurl.com/ ’ in a frame because it set ‘X-Frame-Options’ to ‘sameorigin’.

I am using Helical Insight 4.0 GA. Please help to resolve this.

Thank You,
Snow.

Hello Snow,

The X-Frame-Origin issue is something that is being encountered due to the security policy on your redirection server. You might have used different kind of server for redirection like Apache, IIS, NGinx, HAProxy etc. If your referrer policy is strict-origin-cross-origin, it ensures that you cannot use iframe tag, embed tag, object tag tags.

You may want to refer to the following documentation to change the settings of your redirection server.

developer.mozilla.org

If both servers (where you are embedding) and where your BI is hosted is in the same domain like bi.helicalinsight.com (Helical BI server) and app.helicalinsight.com then settings like X-Frame-Options’ to ‘sameorigin’ might work.

But in case if they are on different domains you will have to use allow-from option along with specifying the BI server link.

Note: syntax might change based on the server you are using (like Apache, IIS, Nginx, HAProxy etc)

snow:

In the console I am seeing the error: Refused to display ‘ https://dashboard.myurl.com/’ in a frame because it set ‘X-Frame-Options’ to ‘sameorigin’.

The Same Origin Policy (SOP) is the policy browsers implement to prevent vulnerabilities via Cross Site Scripting (XSS). In other words, the browser would not allow any site to make a request to any other site. It would prevent different origins from interacting with each other through such requests, like AJAX. This policy exists because it is too easy to inject a link to a javascript file that is on a different domain. This is a security risk - you really only want code that comes from the site you are on to execute and not just any code that is out there.

The Cross Origin Resource Sharing (CORS) is one of the few techniques for relaxing the SOP. Because SOP is “on” by default, setting CORS at the server-side will allow a request to be sent to the server via an XMLHttpRequest even if the request was sent from a different domain. This becomes useful if your server was intended to serve requests from other domains (e.g. if you are providing an API).

JSON with Padding is just a way to circumvent same-origin policy, when CORS is not an option. This is risky and a bad practice. Avoid using this.

If you want to bypass that restriction when fetching the contents with fetch API or XMLHttpRequest in javascript , you can use a proxy server so that it sets the header Access-Control-Allow-Origin to *.

If you need to enable CORS on the server in case of localhost, you need to have the following on request header.

Access-Control-Allow-Origin: http://localhost:9999

Hello Helical Insight, I am using helical insight 4.1 GA version. I am trying to embed helical insight created reports and dashboards into another product but it is not becoming visible. Please help. Thank You, Snow.