Categories
- All Categories
- 4 Oracle Analytics Videos
- 13.7K Oracle Analytics Forums
- 5.1K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 56 Oracle Analytics News
- 31 Oracle Analytics Trainings
- 52 Oracle Analytics Data Visualizations
- 2 Oracle Analytics Career
- 2 Oracle Analytics Industry
- Find Partners
- For Partners
Refused to frame/Connect because an ancestor violates the Content Security Policy directive
Hi I am trying to display OAS in an iframe within our main application but OAS is not allowing its content to be displayed not even the login page. This issue persists across other applications and even on a simple HTML page. Despite adding safe domains in OAS updating the instancecinfig.xml file multiple times and restarting the services, the iframe is still not working with OAS. We are unable to display our reports through OAS in an iframe.
"Refused to frame 'https://test.local.local:9503/' because an ancestor violates the following Content Security Policy directive: 'frame-ancestors 'self'."
Answers
-
my OAS version is 7.0.0.0.240110
1 -
Hi,
Did you enter your domain where you are trying to embed the OAS page in DV > Console > Safe Domains as accepted for embedding?
This is from OAS 2024 (aka 7.6), can't remember if that page was already like that in OAS 2023 (7.0).
You can read some more details in the doc:
PS: don't enable it for all domains, enter the domains you need only, keep your OAS a bit secured…
0 -
I’ve tried everything and have also reviewed your previous posts related to this issue. I attempted all suggested solutions, including those provided by Oracle Engineers, which involved modifications to the
instanceconfig.xml
file. Despite these efforts, the issue persists. Are there any other methods that could bypass all security layers for testing purposes?0 -
I tried the steps below as well, but they didn’t work and are also causing issues during the service restart.
<Security>
<ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
<InIFrameRenderingMode>allow</InIFrameRenderingMode>
<ContentSecurityPolicy>
<PolicyDirectives>
<Directive>
<Name>frame-src</Name>
<Value>https://abc.com https://*.abc.com *</Value>
</Directive>
<Directive>
<Name>img-src</Name>
<Value>*</Value>
</Directive>
</PolicyDirectives>
</ContentSecurityPolicy>
<XFrameOptions>
<Value>ALLOW-FROM https://abc.local.com</Value>
</XFrameOptions>
<EmbeddedContent>
<Iframe enabled="true"/>
</EmbeddedContent>
</Security>0 -
You expect the login page to be visible in the embedding? What page is the system exactly trying to load?
The login page is a different deployment in the bi_server1, not sure any config in DV or OBIPS config file applies there.
0 -
I have an application where I’ve embedded OBIEE 11g in one IFRAME and OAS in a second IFRAME. Single Sign-On (SSO) is not enabled I’m just displaying the OBIEE and OAS dashboards in these IFRAMEs. OBIEE 11g is functioning correctly I can log in and view the dashboard. However, with OAS, I encounter an error referring to connection issues, and the page fails to load. Even the login page is inaccessible. I also tested with a simple HTML page, and I’m seeing the same error as in the application’s IFRAME.
0 -
This is the error.
0 -
Also, I don't have OHS or Apache in front of OAS. We are using OID, and there is no security configured in our environment
0 -
Look at the Network tab and find out exactly what page is being blocked. Because just having the console message about the domain doesn't tell you much…
And OBIEE 11g is 8+ years old, browsers security was different back at that time, don't take it as a reference for embedding…
For example, in this screenshot you can see that it isn't my OAS page that is blocked, but the login page that OAS redirected me to (the 3rd row being a 302 redirect to the 4th row, the login).
0 -
Hi,
As you can see there is no blockage at all.There is some issue with IFRAME/XFRAME because that is the only issue I am facing.I found the below file on server:u01/app/OASUAT/Middleware/Oracle_Home/user_projects/domains/OAS_Domain/servers/bi_server1/tmp/_WL_user/bitech-analysis-application/ir/war/WEB-INF/web.xml.
It contains :
<description>Security option used in session header to indicate
whether app is embeddable in iframes</description>
<param-name>oracle.bi.tech.xFrameOptions</param-name>
<param-value>SAMEORIGIN</param-value>frame-src 'self' docs.oracle.com;frame-ancestors 'self'.
Can we make change in it to allow for all domains ? Kindly suggest
0 -
I think this is only for /dv Applicaion and not for /analytics Application
0 -
You can embed Oracle Analytics content into an application, custom application, or portal web page.
When you embed analytics, you put information where users need it to make business decisions. Embedded analytics delivers fast time-to-insight and increases user productivity.
There are two analytics content embedding methods:
- Use the analytics content item's URL. Typically this method uses an iFrame. See Embed Oracle Analytics Content With iFrames.
- Use the JavaScript embedding framework when you need an integrated way to embed analytics content. This method provides greater flexibility than the iFrame embedding method. For example, use this method when you want to embed visualizations into a custom web application. See Typical Workflow to Use the JavaScript Embedding Framework with Oracle Analytics Content.
0 -
Since you dont have an OHS / Apache, do you have the option to offload the SSL to an F5 or something, so header re-write could be done there?
If you pre-authenticate to the blocked OAS page so you have an auth token does it behave with the same error?
Are you embedding a /analytics page or a /dv page? In my experience that makes a difference on if the requirements are from instanceconfig.xml or the safe domains page, hence the question, even though I see you are blocked at the initial login page.
Please share the "response headers" from the login.jsp network analysis you screenshotted above - with the return status code 200. I want to see if the response headers show:
content-security-policy:default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval' ;child-src 'self' 'unsafe-inline' 'unsafe-eval' ;style-src 'self' 'unsafe-inline' ;img-src 'self' ;font-src 'self' ;frame-src 'self' ;frame-ancestors 'self' ;media-src 'self' ;connect-src 'self' ;
or if it has anything added based on your instanceconfig or safe domains settings
1 -
In my testing, when ALREADY authenticated I load a dashboard eg:
GET /analytics/saw.dll?Dashboard&portalPath=%2fshared%****%20Home%2fMy%20Dashboard
The response headers return with the expected CSP per the OAS configurations (instanceconfig.xml or safedomains) - broken out for readability:
Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' 'self' ****removed but as expected**** ;
child-src 'unsafe-inline' 'unsafe-eval' 'self' data: blob:;
img-src ****removed but as expected**** ;
frame-src 'self' ****removed but as expected**** ;
style-src 'unsafe-inline' 'self' ****removed but as expected**** ;
default-src 'self';font-src ****removed but as expected**** ;
media-src 'self' data: blob: mediastream:;
frame-ancestors ****removed but as expected**** ;
form-action 'self'
In the case of a UNAUTHENTICATED request:
GET /analytics/saw.dll?Dashboard&portalPath=%2fshared%*****%20Home%2fMy%20Dashboard
The 302 results in the following as you show in your screenshot:
GET /bi-security-login/login.jsp;jsessionid=JLN7N2M…
From which the systems response sends along NO custom CSP in the headers:
CONTENT-SECURITY-POLICY: default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval' ;child-src 'self' 'unsafe-inline' 'unsafe-eval' ;style-src 'self' 'unsafe-inline' ;img-src 'self' ;font-src 'self' ;frame-src 'self' ;frame-ancestors 'self' ;media-src 'self' ;connect-src 'self' ;
So OAS is simply not sending any of the CSP config through for the login page to allow it to be embedded.
In our case we have OAM SSO, so we have the option for OAM to respond possibly allowing this part to be embedded.
The web.xml option you listed above may work well enough.
1