@BrandonH @SteveF-Oracle The issue here is that font is referenced inside a .css file. @font-face{ font-family:Oracle Sans; font-style:italic; font-weight:600; src:url(obitech-application/fonts/OracleSansUI_W_SBdIt.woff) format("woff"); } Even though the .css file is fetched with crossorigin="use-credentials", the…

Sec-Fetch-Mode: - this is set as "no-cors" for .gif and "cors" from .woff. Where is this value set? Would it be the weblogic application which has the .woff file? And other files like .css (https://bidev.pc.com/dv/static/oracle-jet/11.1.10.39f2e3555343/ojs/styles/alta/alta.css) have sec-fetch-mode:cors but also have…

@BrandonH Successful .gif Request Headers GET /dv/static/obitech-common/0.1.0.03a5a3897475/images/redwood_progress.gif HTTP/1.1 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Connection: keep-alive Cookie:…

@SteveF-Oracle Thank you. I tried both things but no luck. I had also tried adding the FilesMatch in httpd.conf and ssl.conf. Other files (.gif, .css, .js) do not get this issue. For example: https://bidev.pc.com/dv/static/obitech-common/0.1.0.03a5a3897475/images/redwood_progress.gif (200 OK) The Location in the Response…

@BrandonH Yes, that is right. sandbox.pc.com: — Some website that you are embedding OAS content into bidev.pc.com: — Apache webserver that's infront of OAS / DV Apache to OAS is https. Below is in workers.conf ProxyPreserveHost On <Proxy "balancer://workers"> BalancerMember "https://devbi1-vip.pc.com:9404" ProxySet…

@BrandonH The request headers for blocked request: GET /dv/static/application/1.0.0.39f2e3555343/obitech-application/fonts/OracleSansUI_W_Bd.woff HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Connection: keep-alive Host: bidev.pc.com Origin: https://sandbox.pc.com Referer:…

@SteveF-Oracle When I directly embed the OAS URL I do not see the CORS issues. But when the URL is Apache (routing to OAS), the CORS issue for font is coming. I have tried adding Access-Control-Allow-Origin header in httpd.conf, ssl.conf.. but no luck.

@SteveF-Oracle Yes, we have same domain. Sub-domain is different. Yes, we have Apache front-ending OAS, Apache is mainly for SAML SSO between website and OAS. I am testing with Chrome and Firefox and both are having issues.

@Mostafa Morsy-Oracle Thank you, I will check anonymous login. We are ok to let session timeout, here issue is that to re-establish the analytics session once timed out. If I have ADF timeout < 1 hour, then SAML SSO is able to set OAS session if tried within 1 hour. But after 1 hour, it goes to OAS login page. SAML…

We are using analytics reports.

Thanks @Gianni Ceresa. This is working after adding Content-Security-Policy: frame-ancestors, in OHS httpd.conf.

We do not have single SSO across domains, so we have SAML configuration to authenticate OAS users. If I do setup a SAML session first and then load iFrame, the dashboard is displayed without issues. This is success even without any Safe Domain. So probably, here issue might be https://oas.xyz.com/saml2 is blocking frame…

To rule out F5 and OHS messing up, we tested https://oas.xyz.com and it displayed fine in the iFrame. I will try with direct OAS link and update here. Thank you.

We tried embedding https://oas.xyz.com and it displayed the OHS home page. But when we tried https://oas.xyz.com/analytics, then same error.

Yes, restart was done. This is F5 URL.

Yes, that is the first thing I did. Added "test.xyz.com", and enabled Embedding. I have also tried adding <InIFrameRenderingMode>allow</InIFrameRenderingMode> and "frame-ancestors"directive under CSP in instanceconfig.xml.

Thanks @Kathy-Oracle : I tried in Mozilla as well, same error. @Gianni Ceresa: Thank you, posted a new thread.

Did this work by changing CSP (embedding OAS on another page in iFrame)?. I have same requirement and this is not working. -Refused to display 'https://oasuat.XXX.com/' in a frame because it set 'X-Frame-Options' to 'deny'.

We need this feature for displaying only BI content to the end consumer.