Using iDash as an external application in WCC, page is blank or won't show
search cancel

Using iDash as an external application in WCC, page is blank or won't show

book

Article ID: 16764

calendar_today

Updated On:

Products

iDash Workload Automation

Issue/Introduction



Using iDash as an external application in WCC, the page is blank or won't show. I either get a blank screen or an error stating frames is not supported. Other webpages work just fine.

Environment

All

Resolution

The X Frame Options Header is a security feature that iDash implements intentionally. We will continue to ship the product in this configuration. If a customer wants to change this configuration, it is possible, but it comes with some risk. The whole purpose of the option is to avoid click hijacking exploits, so removing or opening up the protection also opens the potential vulnerability to the exploit. 

 

The relevant header is defined in IDASH_HOME/tomcat8/webapps/idash/WEB-INF/web.xml. There is a definition for httpHeaderSecurityFilter, and three filter-mappings. Users could either remove this filter (definitely not recommended), or modify it to use the ALLOW-FROM option instead of the current SAMEORIGIN option (less risky than disabling, but still carries some risk). To do the second option, users will need to adjust the first filter, then add additional filters ahead of the filter mappings with the URIs that should be allowed to open iDash in a frame. These can be added one at a time, or in a list with the URIs in brackets. Below is an example of that modification: 

 

Current Entry: 

<filter> 

<filter-name>httpHeaderSecurityFilter</filter-name> 

<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> 

<init-param> 

<param-name>antiClickJackingOption</param-name> 

<param-value>SAMEORIGIN</param-value> 

</init-param> 

</filter> 

<filter-mapping> 

<filter-name>httpHeaderSecurityFilter</filter-name> 

<url-pattern>/ui/index.html</url-pattern> 

</filter-mapping> 

<filter-mapping> 

<filter-name>httpHeaderSecurityFilter</filter-name> 

<url-pattern>/ui/legacy.html</url-pattern> 

</filter-mapping> 

<filter-mapping> 

<filter-name>httpHeaderSecurityFilter</filter-name> 

<url-pattern>/legacy.html</url-pattern> 

</filter-mapping> 

 

URI Filter: 

<filter> 

<filter-name>httpHeaderSecurityFilter</filter-name> 

<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> 

<init-param> 

<param-name>antiClickJackingUri</param-name> 

<param-value>[https://URI1.com][https://URI2.com][https://URI3.com]</param-value> 

</init-param> 

</filter> 

 

This option will work if you cannot run the extension or if there isn't an extension available for the browser you want to use. 

Powered by Wolken Software