Pages: 1

#1 2025-01-16 19:53:35

hansr
Member
Registered: 2025-01-14

Dashboard - URL Dadget

Hello,

i tried to add a URL Dadget on my dashboard.

I use the following Report Server Version:

ReportServer version:
RS4.7.3-6110 (2024-12-18-11-50-35), Community Edition
Java version:
Ubuntu OpenJDK 64-Bit Server VM 11.0.25+9-post-Ubuntu-1ubuntu124.04 (11)
Java home:
/usr/lib/jvm/java-11-openjdk-amd64 (OK)


The url i used for my test is the following: https://www.heise.de

But the result is the following: www.heise.de hat die Verbindung abgelehnt.


How to fix this issue. It is probably one of the following:

- Cross-Origin Resource Sharing (CORS) Restrictions
- Embedding Restrictions (X-Frame-Options)


Any help is highly appreciated

Offline

#2 2025-01-17 07:34:26

eduardo
Administrator
Registered: 2016-11-01
Website

Re: Dashboard - URL Dadget

Hi hansr,

Hello,

Thank you for reaching out regarding the issue with embedding https://www.heise.de in the URL gadget on your dashboard. After investigating the situation, I’ve identified the cause and would like to explain why this is not currently possible.

The website https://www.heise.de uses the X-Frame-Options HTTP header to restrict embedding in an <iframe>. Specifically, the header is set to DENY, which instructs browsers to block any attempt to display the website inside an <iframe>, regardless of the origin of the request.

Here is the result of a curl command showing the headers returned by https://www.heise.de:

➜ curl -I https://www.heise.de
HTTP/2 200 
server: nginx
date: Fri, 17 Jan 2025 07:14:14 GMT
content-type: text/html; charset=utf-8
x-cache-status: HIT
x-cache-date: Fri, 17 Jan 2025 07:13:44 GMT
last-modified: Fri, 17 Jan 2025 07:14:14 GMT
age: 27
accept-ranges: bytes
strict-transport-security: max-age=15768000
x-frame-options: DENY
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-hacc-refreshed: 
vary: Accept-Encoding, X-Export-Agent, X-Export-Format, X-Export-IAP
cache-control: no-store
content-length: 890751

The x-frame-options: DENY header explicitly blocks embedding this page in any other website or application. This is a common security measure used by websites to prevent clickjacking and unauthorized framing.

Why This Cannot Be Bypassed
Modern browsers strictly enforce the X-Frame-Options header to ensure the security of web content. Unfortunately, there is no way to override this restriction from your side. Any attempt to bypass this restriction (e.g., by using a proxy server to strip the headers) may violate the website's terms of service.

Regards,
Eduardo

Offline

Pages: 1

Board footer

Powered by FluxBB