Oracle Analytics Cloud and Server

Refused to frame/Connect because an ancestor violates the Content Security Policy directive

Received Response
221
Views
14
Comments

Hi I am trying to display OAS in an iframe within our main application but OAS is not allowing its content to be displayed not even the login page. This issue persists across other applications and even on a simple HTML page. Despite adding safe domains in OAS updating the instancecinfig.xml file multiple times and restarting the services, the iframe is still not working with OAS. We are unable to display our reports through OAS in an iframe.


"Refused to frame 'https://test.local.local:9503/' because an ancestor violates the following Content Security Policy directive: 'frame-ancestors 'self'."

Answers

  • my OAS version is 7.0.0.0.240110

  • Gianni Ceresa
    edited August 15

    Hi,

    Did you enter your domain where you are trying to embed the OAS page in DV > Console > Safe Domains as accepted for embedding?

    This is from OAS 2024 (aka 7.6), can't remember if that page was already like that in OAS 2023 (7.0).

    You can read some more details in the doc: https://docs.oracle.com/en/middleware/bi/analytics-server/administer-oas/register-safe-domains-1.html

    PS: don't enable it for all domains, enter the domains you need only, keep your OAS a bit secured…

  • I’ve tried everything and have also reviewed your previous posts related to this issue. I attempted all suggested solutions, including those provided by Oracle Engineers, which involved modifications to the instanceconfig.xml file. Despite these efforts, the issue persists. Are there any other methods that could bypass all security layers for testing purposes?

  • I tried the steps below as well, but they didn’t work and are also causing issues during the service restart.

    <Security>
    <ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
    <InIFrameRenderingMode>allow</InIFrameRenderingMode>
    <ContentSecurityPolicy>
    <PolicyDirectives>
    <Directive>
    <Name>frame-src</Name>
    <Value>https://abc.com https://*.abc.com *</Value>
    </Directive>
    <Directive>
    <Name>img-src</Name>
    <Value>*</Value>
    </Directive>
    </PolicyDirectives>
    </ContentSecurityPolicy>
    <XFrameOptions>
    <Value>ALLOW-FROM https://abc.local.com</Value>
    </XFrameOptions>
    <EmbeddedContent>
    <Iframe enabled="true"/>
    </EmbeddedContent>
    </Security>

  • You expect the login page to be visible in the embedding? What page is the system exactly trying to load?

    The login page is a different deployment in the bi_server1, not sure any config in DV or OBIPS config file applies there.

  • I have an application where I’ve embedded OBIEE 11g in one IFRAME and OAS in a second IFRAME. Single Sign-On (SSO) is not enabled I’m just displaying the OBIEE and OAS dashboards in these IFRAMEs. OBIEE 11g is functioning correctly I can log in and view the dashboard. However, with OAS, I encounter an error referring to connection issues, and the page fails to load. Even the login page is inaccessible. I also tested with a simple HTML page, and I’m seeing the same error as in the application’s IFRAME.

  • This is the error.

  • Also, I don't have OHS or Apache in front of OAS. We are using OID, and there is no security configured in our environment

  • Look at the Network tab and find out exactly what page is being blocked. Because just having the console message about the domain doesn't tell you much…

    And OBIEE 11g is 8+ years old, browsers security was different back at that time, don't take it as a reference for embedding…

    For example, in this screenshot you can see that it isn't my OAS page that is blocked, but the login page that OAS redirected me to (the 3rd row being a 302 redirect to the 4th row, the login).

  • Hi,
    As you can see there is no blockage at all.There is some issue with IFRAME/XFRAME because that is the only issue I am facing.I found the below file on server:

    u01/app/OASUAT/Middleware/Oracle_Home/user_projects/domains/OAS_Domain/servers/bi_server1/tmp/_WL_user/bitech-analysis-application/ir/war/WEB-INF/web.xml.

    It contains :

    <description>Security option used in session header to indicate
    whether app is embeddable in iframes</description>
    <param-name>oracle.bi.tech.xFrameOptions</param-name>
    <param-value>SAMEORIGIN</param-value>

    frame-src 'self' docs.oracle.com;frame-ancestors 'self'.

    Can we make change in it to allow for all domains ? Kindly suggest

  • @User_BIGQU

    I think this is only for /dv Applicaion and not for /analytics Application

  • @User_BIGQU

    You can embed Oracle Analytics content into an application, custom application, or portal web page.

    When you embed analytics, you put information where users need it to make business decisions. Embedded analytics delivers fast time-to-insight and increases user productivity.

    There are two analytics content embedding methods:

  • BrandonH
    BrandonH ✭✭✭
    edited August 22

    Since you dont have an OHS / Apache, do you have the option to offload the SSL to an F5 or something, so header re-write could be done there?

    If you pre-authenticate to the blocked OAS page so you have an auth token does it behave with the same error?

    Are you embedding a /analytics page or a /dv page? In my experience that makes a difference on if the requirements are from instanceconfig.xml or the safe domains page, hence the question, even though I see you are blocked at the initial login page.

    Please share the "response headers" from the login.jsp network analysis you screenshotted above - with the return status code 200. I want to see if the response headers show:

    content-security-policy:default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval' ;child-src 'self' 'unsafe-inline' 'unsafe-eval' ;style-src 'self' 'unsafe-inline' ;img-src 'self' ;font-src 'self' ;frame-src 'self' ;frame-ancestors 'self' ;media-src 'self' ;connect-src 'self' ;

    or if it has anything added based on your instanceconfig or safe domains settings

  • BrandonH
    BrandonH ✭✭✭

    In my testing, when ALREADY authenticated I load a dashboard eg:

    GET /analytics/saw.dll?Dashboard&portalPath=%2fshared%****%20Home%2fMy%20Dashboard

    The response headers return with the expected CSP per the OAS configurations (instanceconfig.xml or safedomains) - broken out for readability:

    Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' 'self' ****removed but as expected**** ;

    child-src 'unsafe-inline' 'unsafe-eval' 'self' data: blob:;

    img-src ****removed but as expected**** ;

    frame-src 'self' ****removed but as expected**** ;

    style-src 'unsafe-inline' 'self' ****removed but as expected**** ;

    default-src 'self';font-src ****removed but as expected**** ;

    media-src 'self' data: blob: mediastream:;

    frame-ancestors ****removed but as expected**** ;

    form-action 'self'

    In the case of a UNAUTHENTICATED request:

    GET /analytics/saw.dll?Dashboard&portalPath=%2fshared%*****%20Home%2fMy%20Dashboard

    The 302 results in the following as you show in your screenshot:

    GET /bi-security-login/login.jsp;jsessionid=JLN7N2M…

    From which the systems response sends along NO custom CSP in the headers:

    CONTENT-SECURITY-POLICY: default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval' ;child-src 'self' 'unsafe-inline' 'unsafe-eval' ;style-src 'self' 'unsafe-inline' ;img-src 'self' ;font-src 'self' ;frame-src 'self' ;frame-ancestors 'self' ;media-src 'self' ;connect-src 'self' ;

    So OAS is simply not sending any of the CSP config through for the login page to allow it to be embedded.

    In our case we have OAM SSO, so we have the option for OAM to respond possibly allowing this part to be embedded.

    The web.xml option you listed above may work well enough.