Knowledge Drop

Refused to display 'https://somedomain.com' in a frame because it set 'X-Frame-Options' to 'sameorigin'

  • 7 May 2021
  • 0 replies
  • 2651 views

Userlevel 4

Last tested: Nov 7, 2018
 

Let's conquer this beast.

image.png

First things first. What the heck is an origin?

It's the combination of protocol, domain, and port:

{protocol}://{domain}:{port} --> https://developer.mozilla.org:443

 

OK, Got it. What about sameorigin?

It's a policy designed to prohibit the display of resources from a particular origin in the page of another, different origin. When Looker is embedded in an iframe, that iframe requests and displays data from Looker's origin, which is different than the parent page's origin. For example, if I embed a dashboard from a Looker instance in https://www.w3schools.com/tags/tryit.asp?filename=tryhtml_iframe, their origins are not the same.

Where does X-Frame-Options fit in?

The X-Frame-Options ​HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in an iframe. Tying this back to sameorigin, when the X-Frame-Options header is set to sameorigin, that means the iframe won't allow its contents to be rendered if the parent page has a different origin. So, you might be wondering, "how can Looker be embedded at all then?" That brings me to the most important point.
 

Looker doesn't include the X-Frame-Options: sameorigin header in pages intended for embedding

This includes /dashboards, /looks, etc. This does not include /spaces, /admin, /login, etc.

When SSO embedding happens, the login url is hit and redirects to the embedded content. There are therefore two relevant network events to keep in mind: the login url and the content url.

Screen Shot 2018-07-18 at 4.37.32 PM.png

The login url has the X-Frame-Options:sameorigin header, but the content url does not. Therefore, assuming users aren't trying to embed pages not intended for embedding, the only time you should see the error is when the SSO login fails and the redirect never happens.

So, from a practical troubleshooting perspective, don't get distracted by the error. Instead, suit up in chain mail and figure out whether A) the page being embedded is legitimately intended for embedding and B) if it is, why is the SSO login url not redirecting to the content url? (hint: is the URL invalid in some way?)

NOTE: X-Frame-Options:sameorigin only applies to displaying content in an iframe (as the security issue it intends to prevent is one of user interaction). It does not actually block the request or prevent the browser from honoring redirects within an iframe.

 

This content is subject to limited support.                

 


0 replies

Be the first to reply!

Reply