Categories
- All Categories
- 162 Oracle Analytics News
- 29 Oracle Analytics Videos
- 14.8K Oracle Analytics Forums
- 5.7K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 56 Oracle Analytics Trainings
- 13 Oracle Analytics Data Visualizations Challenge
- 4 Oracle Analytics Career
- 2 Oracle Analytics Industry
- Find Partners
- For Partners
Refused to frame/Connect because an ancestor violates the Content Security Policy directive
Answers
-
I think this is only for /dv Applicaion and not for /analytics Application
0 -
You can embed Oracle Analytics content into an application, custom application, or portal web page.
When you embed analytics, you put information where users need it to make business decisions. Embedded analytics delivers fast time-to-insight and increases user productivity.
There are two analytics content embedding methods:
- Use the analytics content item's URL. Typically this method uses an iFrame. See Embed Oracle Analytics Content With iFrames.
- Use the JavaScript embedding framework when you need an integrated way to embed analytics content. This method provides greater flexibility than the iFrame embedding method. For example, use this method when you want to embed visualizations into a custom web application. See Typical Workflow to Use the JavaScript Embedding Framework with Oracle Analytics Content.
0 -
Since you dont have an OHS / Apache, do you have the option to offload the SSL to an F5 or something, so header re-write could be done there?
If you pre-authenticate to the blocked OAS page so you have an auth token does it behave with the same error?
Are you embedding a /analytics page or a /dv page? In my experience that makes a difference on if the requirements are from instanceconfig.xml or the safe domains page, hence the question, even though I see you are blocked at the initial login page.
Please share the "response headers" from the login.jsp network analysis you screenshotted above - with the return status code 200. I want to see if the response headers show:
content-security-policy:default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval' ;child-src 'self' 'unsafe-inline' 'unsafe-eval' ;style-src 'self' 'unsafe-inline' ;img-src 'self' ;font-src 'self' ;frame-src 'self' ;frame-ancestors 'self' ;media-src 'self' ;connect-src 'self' ;
or if it has anything added based on your instanceconfig or safe domains settings
1 -
In my testing, when ALREADY authenticated I load a dashboard eg:
GET /analytics/saw.dll?Dashboard&portalPath=%2fshared%****%20Home%2fMy%20Dashboard
The response headers return with the expected CSP per the OAS configurations (instanceconfig.xml or safedomains) - broken out for readability:
Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' 'self' ****removed but as expected**** ;
child-src 'unsafe-inline' 'unsafe-eval' 'self' data: blob:;
img-src ****removed but as expected**** ;
frame-src 'self' ****removed but as expected**** ;
style-src 'unsafe-inline' 'self' ****removed but as expected**** ;
default-src 'self';font-src ****removed but as expected**** ;
media-src 'self' data: blob: mediastream:;
frame-ancestors ****removed but as expected**** ;
form-action 'self'
In the case of a UNAUTHENTICATED request:
GET /analytics/saw.dll?Dashboard&portalPath=%2fshared%*****%20Home%2fMy%20Dashboard
The 302 results in the following as you show in your screenshot:
GET /bi-security-login/login.jsp;jsessionid=JLN7N2M…
From which the systems response sends along NO custom CSP in the headers:
CONTENT-SECURITY-POLICY: default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval' ;child-src 'self' 'unsafe-inline' 'unsafe-eval' ;style-src 'self' 'unsafe-inline' ;img-src 'self' ;font-src 'self' ;frame-src 'self' ;frame-ancestors 'self' ;media-src 'self' ;connect-src 'self' ;
So OAS is simply not sending any of the CSP config through for the login page to allow it to be embedded.
In our case we have OAM SSO, so we have the option for OAM to respond possibly allowing this part to be embedded.
The web.xml option you listed above may work well enough.
1 -
Hi,
Please suggest what can I do to to resolve this issue as Oracle is not providing the exact solution its been more than 3 months and still I am struggling with this issue.
Any suggestion how can I configure SSO to access OAS from my application. Currently, I don't have any authentication between OAS and that application previously I was accessing OBIEE inside an Iframe in my application and I was accessing OBIEE in way that first I login to my application then again I need to use login credentials for OBIEE inside an IFRAME there were no SSO or direct authentication.
Thanks
0 -
@User_BIGQU, if the SR isn't progressing as you expect then please escalate it immediately. Sometimes we have product management looking in ion the threads here, but the forums are not an official support channel. Especially if something is a bug and doesn't progress, you must escalate it.
0
