This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Refused to display 'https://somedomain.com' in a frame because it set 'X-Frame-Options' to 'sameorigin'

on ‎05-07-2021 09:11 AM

LookerExperts
Staff
0 1 14K
Knowledge Drop

Last tested: Nov 7, 2018
 

Let's conquer this beast.

image.png

First things first. What the heck is an origin?

It's the combination of protocol, domain, and port:

{protocol}://{domain}:{port} --> https://developer.mozilla.org:443

OK, Got it. What about sameorigin?

It's a policy designed to prohibit the display of resources from a particular origin in the page of another, different origin. When Looker is embedded in an iframe, that iframe requests and displays data from Looker's origin, which is different than the parent page's origin. For example, if I embed a dashboard from a Looker instance in https://www.w3schools.com/tags/tryit.asp?filename=tryhtml_iframe, their origins are not the same.

Where does X-Frame-Options fit in?

The X-Frame-Options ​HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in an iframe. Tying this back to sameorigin, when the X-Frame-Options header is set to sameorigin, that means the iframe won't allow its contents to be rendered if the parent page has a different origin. So, you might be wondering, "how can Looker be embedded at all then?" That brings me to the most important point.
 

Looker doesn't include the X-Frame-Options: sameorigin header in pages intended for embedding

This includes /dashboards, /looks, etc. This does not include /spaces, /admin, /login, etc.

When SSO embedding happens, the login url is hit and redirects to the embedded content. There are therefore two relevant network events to keep in mind: the login url and the content url.

Screen Shot 2018-07-18 at 4.37.32 PM.png

The login url has the X-Frame-Options:sameorigin header, but the content url does not. Therefore, assuming users aren't trying to embed pages not intended for embedding, the only time you should see the error is when the SSO login fails and the redirect never happens.

So, from a practical troubleshooting perspective, don't get distracted by the error. Instead, suit up in chain mail and figure out whether A) the page being embedded is legitimately intended for embedding and B) if it is, why is the SSO login url not redirecting to the content url? (hint: is the URL invalid in some way?)

NOTE: X-Frame-Options:sameorigin only applies to displaying content in an iframe (as the security issue it intends to prevent is one of user interaction). It does not actually block the request or prevent the browser from honoring redirects within an iframe.

This content is subject to limited support.                

Topic Labels
0 Likes
Comments
francofgp
Bronze 1
Bronze 1
‎10-07-2022 06:30 AM

Is there a reason why this could happen for some dashboards and not all of them?

For instance, I have 3 dashboards, which are literary a title, and a description, and when I create the iframe, it only works for 2 of them, not for all the 3.

I am having that problem right now.

Thanks

Version history
Last update:
‎05-07-2021 09:11 AM
Updated by: