Opensearch Dashboard iframe embed : response header [x-frame-options]

Sai1 · May 12, 2022, 1:33pm

Hello,
We are trying to embed one of the kibana dashboard on an external website but seem to have some troubling doing so. We are able to auto-authenticate to it but the connection is being refused in the iframe. Under the console tab in developer settings of browser, there is an error “refused to display in a frame because it set ‘X-Frame-Options’ to ‘sameorigin’.”
In firefox, the error is : “To protect your security, ip will not allow Firefox to display the page if another site has embedded it. To see this page, you need to open it in a new window.”
I have checked the opensearch-dashboard logs and found an entry related to the x-frame-options:
[“warning”,“http”,“server”,“OpenSearchDashboards”],“pid”:2655,“message”:“onPreResponseHandler rewrote a response header [x-frame-options].”}

In my opensearch_dashboards.yml, I have set the server.customResponseHeaders: {“X-Frame-Options”: “allow”} option but I believe it is getting overwritten by the log entry mentioned above. Our opensearch-dashboard is running using https[:]//localhost[:]443

Please let me know if I have missed anything. Thanks!

nateynate · May 12, 2022, 3:18pm

@Sai1 - are you sure this isn’t related to a CORS policy? On the site that is embedding with an iframe, is there a CORS policy set?

Sai1 · May 12, 2022, 3:44pm

Hi @nateynate,

Thanks for getting back! I am using a basic flask app where I included the iframe. I do have the cors set up as per below:
cors = flask_cors.CORS()
cors = flask_cors.CORS(app, resources={r"/": {“origins”: ""}}, supports_credentials=True,)

But even when I run a simple curl like :
curl https://127.0.0.1 --insecure -u uname -v

I see the x-frame-options set to sameorigin. In the dashboard logs, I see the onPreResponseHandler rewrote a response header [x-frame-options]. The opensearch-dashboard server is running on 127.0.0.1:443 of our server. The flask is also running on the same server.

For auto-authentication, I have used nginx reverse proxy running on 6443. Please let me know if you require further information.

Sai1 · May 12, 2022, 3:45pm

Here is the dashboard log rewriting the header.

Topic		Replies	Views
Embedding the open search dashboard in react webapp OpenSearch Dashboards discuss , troubleshoot	3	2558	August 29, 2023
Using opendashboards as iframe code in other apps Open Source Elasticsearch and Kibana troubleshoot	4	594	May 21, 2023
Iframe Issues when using AD as IDP microsoft not able to connect due to X-frame options set to deny by them OpenDistro troubleshoot	1	579	May 23, 2023
Embed OpenSearch dashboards without login page Security	11	3844	March 31, 2023
Embed OpenSearch Dashboards using iframe OpenSearch Dashboards	6	2896	June 13, 2023

Opensearch Dashboard iframe embed : response header [x-frame-options]

Related topics