Blueprint Channel Modules security error referencing 'X-Frame-Options'

book

Article ID: 117039

calendar_today

Updated On:

Products

Clarity PPM SaaS Clarity PPM On Premise

Issue/Introduction

We are trying to display a web page in Clarity PPM Blueprint Channel Modules but getting "Load denied by X-Frame-Options" security error.
Load denied by X-Frame-Options: https://<website.xyz.com> does not permit cross-origin framing. 
Header Details:
Request URL: https://<website.xyz.com> 
Request method: Get 
X-Frame-Option: SAME ORIGIN


Excerpt of another error message you may see:

Refused to display 'https://<website.xyz.com' in a frame because it set 'X-Frame-Options' to 'sameorigin'. 

Environment

Release:
Component: ODSEC

Resolution

The issue is not with Clarity but a restriction on the SSO application. The application needs to have a whitelist (CORS) capability to trust Clarity. 
  • This happens due to the external applications security policy and Clarity PPM can not overwrite the security policy of another application. Applications have built in security and can't control that. Clarity PPM can do certain things to get the content to display.
    • For example: If you want to display external applications within PPM, PPM will trust that application and it will display provided that HTTP and HTTPS matches. So if you have a HTTPS PPM server and trying to render HTTP site which is not secured, that's a security violation which will prevent it from displaying.
  • We can also tell PPM to whitelist certain domains and we do that automatically soon as user populates URL value (may have to refresh or navigate away to read the updated whitelist domains).
Edit CA PPM 15.5 Blueprint Modules

Additional Information

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options 
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security