Announcement

Migration of this forum

Dear users of this forum,

we are pleased to inform you that we will be updating the software behind this forum in the near future.

Existing posts, users and categories will remain untouched.

Important:

  • Each user will need to reset their password.
  • Please select "I forgot my password".
  • Enter the email address you used to register in this forum.
  • You will receive an email with a link to set a new password.
  • Please choose a new (secure) password and confirm the process.

We will keep you informed in the pinned thread.

Kind regards,
Your ReportServer Team

Migration des Forums

Liebe Nutzer dieses Forums,

wir freuen uns, euch mitteilen zu können, dass wir in naher Zukunft die Software hinter diesem Forum aktualisieren werden.

Existierende Beiträge, Nutzer und Kategorien bleiben weiterhin bestehen!

Wichtig:

  • Jeder Nutzer muss sein Passwort neu vergeben.
  • Wählt dazu einfach "Ich habe mein Passwort vergessen".
  • Gebt die E-Mail-Adresse ein, mit der ihr registriert seid.
  • Ihr erhaltet eine E-Mail mit einem Link zur Passwortvergabe.
  • Bitte wählt ein neues (sicheres) Passwort und bestätigt den Vorgang.

Wir halten euch im angepinnten Beitrag auf dem Laufenden!

Mit vielen Grüßen
Euer ReportServer Team

Pages: 1

#1 2025-01-16 19:53:35

hansr
Member
Registered: 2025-01-14

Dashboard - URL Dadget

Hello,

i tried to add a URL Dadget on my dashboard.

I use the following Report Server Version:

ReportServer version:
RS4.7.3-6110 (2024-12-18-11-50-35), Community Edition
Java version:
Ubuntu OpenJDK 64-Bit Server VM 11.0.25+9-post-Ubuntu-1ubuntu124.04 (11)
Java home:
/usr/lib/jvm/java-11-openjdk-amd64 (OK)


The url i used for my test is the following: https://www.heise.de

But the result is the following: www.heise.de hat die Verbindung abgelehnt.


How to fix this issue. It is probably one of the following:

- Cross-Origin Resource Sharing (CORS) Restrictions
- Embedding Restrictions (X-Frame-Options)


Any help is highly appreciated

Offline

#2 2025-01-17 07:34:26

IF_Eduardo
Administrator
Registered: 2016-11-01
Website

Re: Dashboard - URL Dadget

Hi hansr,

Hello,

Thank you for reaching out regarding the issue with embedding https://www.heise.de in the URL gadget on your dashboard. After investigating the situation, I’ve identified the cause and would like to explain why this is not currently possible.

The website https://www.heise.de uses the X-Frame-Options HTTP header to restrict embedding in an <iframe>. Specifically, the header is set to DENY, which instructs browsers to block any attempt to display the website inside an <iframe>, regardless of the origin of the request.

Here is the result of a curl command showing the headers returned by https://www.heise.de:

➜ curl -I https://www.heise.de
HTTP/2 200 
server: nginx
date: Fri, 17 Jan 2025 07:14:14 GMT
content-type: text/html; charset=utf-8
x-cache-status: HIT
x-cache-date: Fri, 17 Jan 2025 07:13:44 GMT
last-modified: Fri, 17 Jan 2025 07:14:14 GMT
age: 27
accept-ranges: bytes
strict-transport-security: max-age=15768000
x-frame-options: DENY
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-hacc-refreshed: 
vary: Accept-Encoding, X-Export-Agent, X-Export-Format, X-Export-IAP
cache-control: no-store
content-length: 890751

The x-frame-options: DENY header explicitly blocks embedding this page in any other website or application. This is a common security measure used by websites to prevent clickjacking and unauthorized framing.

Why This Cannot Be Bypassed
Modern browsers strictly enforce the X-Frame-Options header to ensure the security of web content. Unfortunately, there is no way to override this restriction from your side. Any attempt to bypass this restriction (e.g., by using a proxy server to strip the headers) may violate the website's terms of service.

Regards,
Eduardo

Offline

Pages: 1

Board footer

Powered by FluxBB