3 Replies Latest reply on May 3, 2017 10:07 AM by Olga Yazovskaya

    'X-Frame-Options' header confusion..

    Olga Yazovskaya

      Hi all.

      I would like to share some information, which helped me when we faced an issue embedding URL in Tableau dashboards.

      The text is not well formatted, but I wanted to share it with the community, before I forget (as usual  ).

      Any corrections are welcomed.

       

      Tableau supports Clickjacking protection which is enabled by default. (We know it )

      This means that Tableau Server adds the ‘X-Frame-Options: SAMEORIGIN’ header to certain responses from the server.

      And in most of the browsers this header prevents the pages to be used in <iframe>  html tags.

      For more details see: https://onlinehelp.tableau.com/current/server/en-us/clickjack_protection.htm

       

      Web developers have an option to include ‘X-Frame-Options:’ header to the HTTP response.

      As said above in most of the browsers this header prevents the web pages to be used in <iframe> html tags.

      This header is used to protect the website from Clickjacking (https://en.wikipedia.org/wiki/Clickjacking ) attacks.

      These are the possible values for the ‘X-Frame-Options:’ header:

      DENY- web page cannot be used in any <iframes>,

      SAMEORIGIN- web page can be embedded only in the web page of the same origin.

      ALLOW- give ability to ‘white list’ web pages where it can be used in <iframe>

       

      Most of the popular website use ‘X-Frame-Options: SAMEORIGIN’ header for security compliance: google.com, facebook.com, etc.

      The easy way to see response headers from the web page is to use online HTTP response test tools. The tool I used is: https://www.hurl.it/ .

      You can find another one. Just google for 'http response test online'.

      Enter the url in this format: https://www.google.com and check the headers below.

      You see ‘X-Frame-Options:’? Most probably, you will not be able embed the web page in <iframe> or Tableau Dashboard(because creates an <iframe> when we embed a URL). Unless you see X-Frame-Options: ALLOW and  your uri is whitelisted.Screen Shot 2017-05-02 at 5.55.33 PM.png

       

      If you cannot use online tool you can use other web development tools (if you are a web developer you know what to you, if not there is another option below).

       

      When the web page is available only within company network, we can see headers in ‘Google Chrome Developer Tools’, following steps below:

      1. a. Open a new window in Google Chrome
      2. b. Type or Paste the URL you need to use and hit Enter
      3. c. Right-Click on the web-page and click Inspect

      This will open a new window.

      1. d. In that window click on Network tab
      2. e. Refresh the page you are testing.
      3. You will see some activity
        1. f. In the Name Section go to the very top and click on the URL you are testing. Example: www.google.com

       

      1. g. Do you see the X-Frame-Options header? Most probably you will not be able to use the web page in <iframe> or Tableau Server.

       

      If you are not sure if the issue is with Tableau Server or the webpage you are using, try to embed www.wikipedia.org . As of May 2nd 2017 it is one of a few famous sites without X-Frame-Options header.

       

      Said all above.... If a web page has X-Frame-Options header (and your uri is not is not in a list of allowed), even if you disable Clickjack defence on Tableau Server, the web page will not show in Tableau Dashboard (or any <iframe>).

       

      Good luck!

       

      Olga