Opensearch Dashboard iframe embed : response header [x-frame-options]

We are trying to embed one of the kibana dashboard on an external website but seem to have some troubling doing so. We are able to auto-authenticate to it but the connection is being refused in the iframe. Under the console tab in developer settings of browser, there is an error “refused to display in a frame because it set ‘X-Frame-Options’ to ‘sameorigin’.”
In firefox, the error is : “To protect your security, ip will not allow Firefox to display the page if another site has embedded it. To see this page, you need to open it in a new window.”
I have checked the opensearch-dashboard logs and found an entry related to the x-frame-options:
[“warning”,“http”,“server”,“OpenSearchDashboards”],“pid”:2655,“message”:“onPreResponseHandler rewrote a response header [x-frame-options].”}

In my opensearch_dashboards.yml, I have set the server.customResponseHeaders: {“X-Frame-Options”: “allow”} option but I believe it is getting overwritten by the log entry mentioned above. Our opensearch-dashboard is running using https[:]//localhost[:]443

Please let me know if I have missed anything. Thanks!

@Sai1 - are you sure this isn’t related to a CORS policy? On the site that is embedding with an iframe, is there a CORS policy set?

Hi @nateynate,

Thanks for getting back! I am using a basic flask app where I included the iframe. I do have the cors set up as per below:
cors = flask_cors.CORS()
cors = flask_cors.CORS(app, resources={r"/": {“origins”: ""}}, supports_credentials=True,)

But even when I run a simple curl like :
curl --insecure -u uname -v

I see the x-frame-options set to sameorigin. In the dashboard logs, I see the onPreResponseHandler rewrote a response header [x-frame-options]. The opensearch-dashboard server is running on of our server. The flask is also running on the same server.

For auto-authentication, I have used nginx reverse proxy running on 6443. Please let me know if you require further information.

Here is the dashboard log rewriting the header.