1 Reply Latest reply on Aug 8, 2019 8:06 AM by Betty Neumann

    How to configure x-frame option in TSPS?

    Akshata Shelke
      Share This:

      Hi Experts,

       

      We need to configure the x-frame option in TSPS so that it  can be cross launched from other console.

      TSPS version-11.3

       

      Thanks in Advance!!

       

       

       

        • 1. Re: How to configure x-frame option in TSPS?
          Betty Neumann

          Akshata, I have an older use case where others were trying to use X-Frame within TSPS. This is not recommended.

          In the use case there was an attempt to embed a tsps dashboard in an external dashboard result in the following error -
          Refused to display 'https://mytspsurl.com/#/dashboard/89' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
          Is there a setting that will allow us to workaround this issue?

          Use -  case scenario: Part of a pilot for demonstrating value driven by our tools, the request is to aggregate dashboards from our tools into a
          single screen, a one-stop shop for mission-critical data across tools.
          There  are attempts to embed the entire TSPS application screen in an iframe, however, this option does not seem to be working with TrueSight.

          From
          a BMC standpoint, this cannot be supported. Researching the issue shows  that allowing the embedded frames is not good and may cause a clickjack
          security issue. So it is not supported and not recommended by BMC.

          However, there is a way to do this based on the details below:
          https://stackoverflow.com/questions/27358966/how-to-set-x-frame-options-on-iframe

          The
          X-Frame-Options HTTP response header can be used to indicate whether or  not a browser should be allowed to render a page in a <frame>,
          <iframe> or <object>. Sites can use this to avoid  clickjacking attacks, by ensuring that their content is not embedded into other sites.
          The solution is to install a browser plugin. Again, this is not recommended by BMC as it will pose security risks.

          A  web site which issues HTTP Header X-Frame-Options with a value of DENY (or SAMEORIGIN with a different server origin) cannot be integrated into
          an IFRAME... unless you change this behavior by installing a Browser plugin which ignores the X-Frame-Options Header (e.g. Chrome's Ignore
          X-Frame Headers - https://chrome.google.com/webstore/detail/ignore-x-frame-headers/gleekbfjekiniecknbkamfmkohkpodhe).

          Note  that this not recommended at all for security reasons. BMC will not support this configuration so it should not be used. The purpose of this
          Knowledge Article is to explain the issue and why it is not wise to use  this type of embedded dashboard configuration.

          So while the scenarios are a bit different, the non-support of X-Frame options remains. It is not recommended and not supported.