Categories
OAS: Embedding External Content in Dashboards Content Security Policy

Hi,
I'm looking for help to resolve an issue with Oracle Analytic Server's Presentation Service which allows users to view content from the dashboard embedded in an iframe.
My desired goal is to allow my "HomePage" to render the OAS dashboard inside Microsoft Edge (Chromium-based) in an iFrame without the following error:
"Refused to display 'ExternalDashboard' in a frame because it set 'frame-ancestor to 'self'"
I've updated the following files:
- Oracle_Home/bi/file_templates/OBIPS/config/instanceconfig.xml
<Security>
<ContentSecurityPolicy>
<PolicyDirectives>
<Directive>
<Name>frame-src</Name>
<Value>*</Value>
</Directive>
<Directive>
<Name>img-src</Name>
<Value>*</Value>
</Directive>
</PolicyDirectives>
</ContentSecurityPolicy>
</Security>
- domains/bi/servers/bi_server1/tmp/_WL_user/bitech-analysis-application/irw68b/war/WEB-INF/web.xml
<init-param>
<description>Security option used in session header to indicate
whether app is embeddable in iframes</description>
<param-name>oracle.bi.tech.xFrameOptions</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<init-param>
<description>Security option used in session header to indicate
what resources can be loaded outside of origin</description>
<param-name>oracle.bi.tech.contentSecurityPolicy</param-name>
<param-value>default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval' maps.google.com maps.googleapis.com;child-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;style-src 'self' 'unsafe-inline' fonts.googleapis.com data:;img-src 'self' elocation.oracle.com *.googleapis.com maps.google.com maps.gstatic.com www.gstatic.com blob: *.googleusercontent.com data:;font-src 'self' fonts.gstatic.com data:;frame-src 'self' ;frame-ancestors "HOMEPAGE_HERE" 'self' ;media-src 'self' data: blob: mediastream:;connect-src 'self' www.googleapis.com elocation.oracle.com;</param-value>
</init-param>
Places I've looked include:
Configuring and Managing Analyses and Dashboards (oracle.com) -> Embedded External Contents
But I'm unable to see my changes reflected in the browser. I'm at a complete loss to how to resolve this issue and would appreciate some help. Please let me know if more information is needed.
Answers
-
Hello,
Instead of the wildcard '*' character, use the domain name in the <value> tag.
Make sure you bounce the Presentation server.
Refer
OBIEE 12c: External Embedded Content is Not Displayed (Doc ID 2273854)
Bala Guddeti
Principal Analytics Technologist
https://www.linkedin.com/in/balaguddeti-oracledataintelligence
1 -
My desired goal is to allow my "HomePage" to render the OAS dashboard inside Microsoft Edge (Chromium-based) in an iFrame
What is inside what? You want your personal/corporate website ("HomePage") to display OAS inside an iframe or do you want external content to be displayed in an iframe in an OAS dashboard? It's a bit confusing which one you exactly want, and it's quite different settings controlling one or the other behavior
I've updated the following files:
- domains/bi/servers/bi_server1/tmp/_WL_user/bitech-analysis-application/irw68b/war/WEB-INF/web.xml
You should avoid touching files coming from deployed things in WebLogic, you will lose these things at next patching or upgrade and there are good chances it isn't going to be supported if you need help later on...
And a last thing: what version of product are you using? (things can be different in different versions)
0 -
Thanks Bala, for your reply.
@Gianni Ceresa Bear with me as I'm still learning. Yes, I want my corporate page to display OAS inside an iframe, not external content within the dashboard. I still haven't figured out how to best word my question.
Currently my homepage has "SomeURLA" and my OAS server has "SomeURLB" and I receive an error inside Microsoft Edge the frame-ancestor: 'self' error message. I believe this is resolved with the Content-Security-Policy from what I have learned, but unable to figure out where to make this change.
It works in Chrome and haven't determined why this behavior isn't in Edge, and we are using Oracle Analytic Server 5.9.
0 -
Ok, so in OAS there is a setting (in instanceconfig.xml) named "InIFrameRenderingMode" (<ServerInstance><Security><InIFrameRenderingMode>):
As you can see you will need to set this one to "allow" and then you also have a reference telling you that you also need to set the CSP settings.
As you can see they say that you should set https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors .
The CSP rule goes into instanceconfig.xml as well, but you need to set a directive with name "frame-ancestors".
What you were setting (as posted above) is frame-src, which mean what kind of content OAS can embed into an iframe, the opposite of what you are trying to do.
Your website, your homepage, will maybe need that kind of directive to say to allow a "frame-src" being the OAS server.
Try setting all that, restart OBIPS1 in your OAS and then open your browser developer tools and keep an eye on the console when loading your homepage. There you will see the cause if if fails again to load OAS into a frame.
But don't change any other file in OAS other than instanceconfig.xml, that one should be enough for what you look for.
0 -
Hi @Gianni Ceresa, I performed your recommendations without success. So I must be missing some information for you.
So I'm able to view the OAS dashboard with 'Reports Menu' 'Managed Scheduled Job' ... without issue even before the change in the instanceconfig.xml. Under the 'Reports Menu', I attempt to select a report, which it appears opens up a new iFrame within the current iFrame. Its this second iFrame containing my report which returns the 'frame-ancestors 'self'' error.
I also received a new error message in the console stating 'Ignoring duplicate Content-Security-Policy directive 'frame-src'. Which is returned in 'saw.dll?CacheStaticFiles&timeout=3'
default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' maps.google.com maps.googleapis.com;child-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;style-src 'self' 'unsafe-inline' fonts.googleapis.com data:;img-src 'self' elocation.oracle.com *.googleapis.com maps.google.com maps.gstatic.com www.gstatic.com blob: *.googleusercontent.com data:;font-src 'self' fonts.gstatic.com data:;frame-src 'self';media-src 'self' data: blob: mediastream:;connect-src 'self' www.googleapis.com elocation.oracle.com;frame-src *;child-src *;img-src *;frame-ancestors *
When I click my report with the new url it returns this Content-Security-Policy with the change you recommended in the instanceconfig.xml
default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; media-src 'none'; frame-ancestors 'self'
Can you share some advice to resolve this? I appreciate your help by the way.
0 -
There were multiple calls the saw.dll in the browser. This was the last call to saw.dll before clicking on my report tab:
media-src 'self' data: blob: mediastream: https://someurla.com ###.###.###.###443;default-src 'self';frame-ancestors * https://someurla.com ###.###.###.###443;style-src 'self' 'unsafe-inline' fonts.googleapis.com data: https://someurla.com ###.###.###.###443;font-src 'self' fonts.gstatic.com data:;connect-src 'self' www.googleapis.com elocation.oracle.com https://someurla.com ###.###.###.###443;frame-src 'self' https://someurla.com https://someurla.com ###.###.###.###443;img-src 'self' elocation.oracle.com *.googleapis.com maps.google.com maps.gstatic.com www.gstatic.com blob: *.googleusercontent.com data: https://someurla.com ###.###.###.###443;child-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:;script-src 'self' 'unsafe-inline' 'unsafe-eval' maps.google.com maps.googleapis.comhttps://someurla.com ###.###.###.###443
0 -
I did just try in a new OAS 6.4, without '<InIFrameRenderingMode>allow</InIFrameRenderingMode>' by default it is: frame-ancestors 'self'.
Without '<InIFrameRenderingMode>allow</InIFrameRenderingMode>' and with a CSP directive: frame-ancestors 'self' https://mywebsite.com .
With '<InIFrameRenderingMode>allow</InIFrameRenderingMode>': frame-ancestors * .
Therefore that flag does change the setting.
Now, why the page still can't be embedded in a frame, I don't get it to be fair. The error says it is because an ancestor violate the CSP directive, but if I look at OAS directly I do receive the correct 'frame-ancestors' directive.
Is it maybe a cascading issue? One of the resources loaded by OAS doesn't have (for whatever reason) that CSP directive set and therefore the frame fail?
I did try to embed in the frame a resource that doesn't load anything else (but still has the frame-ancestors directive).
The page did try to load it, but detected that no valid session was available and therefore tried to display the OAS login page /bi-security-login/login.jsp . And guess what? That one only has frame-ancestors: 'self' .
This login page is the lightweight SSO, it doesn't really follow any other directive set in OBIPS because it is just a deployment in WebLogic. This seem to be the source of the issue.
0 -
How to change the frame-ancestors for the bi-security-login deployment?
No idea, if it isn't a checkbox somewhere in WebLogic but it requires to change a file in the WAR archive (like web.xml or anything else), you would be outside of the supported scope I believe.
I imagine this problem doesn't happen when you have a full SSO environment because your users will be automatically authenticated without being prompted the login screen.
0 -
Also worth knowing that DV has its own CSP apparently, if you go in DV, Console, Safe Domains you can add domains to set in CSP directive, and the "Embedding" checkbox is the one for frame-ancestors .
0 -
@Gianni Canepa - Oracle-Oracle I have been unsuccessful in changing the CSP Policy for the nested iframe within the Presentation Server to inherit the CSP policy from the first iframe within the Edge browser. I feel this is a bug at this point. Can you point me the area to create a bug-report for this issue?
0