After upgrading to 21.2.x, we receive errors when trying to embed Generate URL reports in a web page frame
search cancel

After upgrading to 21.2.x, we receive errors when trying to embed Generate URL reports in a web page frame

book

Article ID: 232121

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

We use an application to import the dashboard URL using the iframe in order to display the Performance Management dashboard. It was working with older releases but after upgrading to 21.2.x, all of the URL links that we export are no longer working.  The error message that we found by using the browser developer tools is:

Refused to frame 'http(s)://portalHostname:8181(2)/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

Environment

Release: 21.2.x

Cause

In 21.2.x, we added headers that exclude this capability as it can be perceived as a vulnerability

Resolution

To regain the function while accepting the vulnerability:

1. Access the SsoConfig utility on the NetOps Portal command line: /opt/CA/PerformanceCenter/SsoConfig

2. Choose option 1. DX NetOps followed by 3. Performance Center

3. Copy the current "Custom HTTP headers to be added to our responses" section.  For example, this is the out of the box entry for 21.2.2:

Content-Security-Policy:default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline';base-uri 'self'; frame-ancestors 'self'; font-src 'self'; frame-src 'self'|X-Frame-Options:sameorigin|X-Content-Type-Options: nosniff|X-XSS-Protection: 1; mode=block|Referrer-Policy: strict-origin|Feature-Policy:'none'

4. Edit the copied string and remove:

; frame-ancestors 'self'

5. Back in SsoConfig, select option: 1. Remote Value

6. Select option: 23. Custom HTTP headers to be added to our responses:

7. Enter 'u' for update

8. Enter the string that was modified in step #4.  Going by the example given in step #3 that would be:

Content-Security-Policy:default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline';base-uri 'self'; font-src 'self'; frame-src 'self'|X-Frame-Options:sameorigin|X-Content-Type-Options: nosniff|X-XSS-Protection: 1; mode=block|Referrer-Policy: strict-origin|Feature-Policy:'none'

9. Enter 'q' to quit out of SsoConfig

10. Restart the console service: 

systemctl restart caperfcenter_console

Additional Information

An alternative to embedding the generated URL for a dashboard in an iframe would be to leave the URL on the page but not have it embedded.  This will allow for those that view the page to click the URL (login if needed) and view the report/dashboard.

An alternative configuration that was required for setting the URL in a Confluence tool iFrame. The following was used:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; base-uri 'self'; font-src 'self'; frame-src *|X-Content-Type-Options: nosniff|X-XSS-Protection: 1; mode=block|Referrer-Policy: strict-origin|Feature-Policy: 'none'|Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Powered by Wolken Software