Using iDash as an external application in WCC, page is blank or won't show

Document ID : KB000016764
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

Using iDash as an external application in WCC, the page is blank or won't show. I either get a blank screen or an error stating frames is not supported. Other webpages work just fine.

Environment:
All
Answer:

The X Frame Options Header is a security feature that iDash implements intentionally. We will continue to ship the product in this configuration. If a customer wants to change this configuration, it is possible, but it comes with some risk. The whole purpose of the option is to avoid click hijacking exploits, so removing or opening up the protection also opens the potential vulnerability to the exploit. 

 

The relevant header is defined in IDASH_HOME/tomcat8/webapps/idash/WEB-INF/web.xml. There is a definition for httpHeaderSecurityFilter, and three filter-mappings. Users could either remove this filter (definitely not recommended), or modify it to use the ALLOW-FROM option instead of the current SAMEORIGIN option (less risky than disabling, but still carries some risk). To do the second option, users will need to adjust the first filter, then add additional filters ahead of the filter mappings with the URIs that should be allowed to open iDash in a frame. These can be added one at a time, or in a list with the URIs in brackets. Below is an example of that modification: 

 

Current Entry: 

<filter> 

<filter-name>httpHeaderSecurityFilter</filter-name> 

<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> 

<init-param> 

<param-name>antiClickJackingOption</param-name> 

<param-value>SAMEORIGIN</param-value> 

</init-param> 

</filter> 

<filter-mapping> 

<filter-name>httpHeaderSecurityFilter</filter-name> 

<url-pattern>/ui/index.html</url-pattern> 

</filter-mapping> 

<filter-mapping> 

<filter-name>httpHeaderSecurityFilter</filter-name> 

<url-pattern>/ui/legacy.html</url-pattern> 

</filter-mapping> 

<filter-mapping> 

<filter-name>httpHeaderSecurityFilter</filter-name> 

<url-pattern>/legacy.html</url-pattern> 

</filter-mapping> 

 

URI Filter: 

<filter> 

<filter-name>httpHeaderSecurityFilter</filter-name> 

<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> 

<init-param> 

<param-name>antiClickJackingUri</param-name> 

<param-value>[https://URI1.com][https://URI2.com][https://URI3.com]</param-value> 

</init-param> 

</filter> 

 

This option will work if you cannot run the extension or if there isn't an extension available for the browser you want to use.