Dashboards & Visualizations

iframes and views broken after Splunk 6 upgrade

dannux
Path Finder

One of our main features broke after upgrading to version 6:

Problem

We have some custom views that allow users to get information without login. In order to do that we use insecure login and iframes.

http://docs.splunk.com/Documentation/Splunk/6.0/AdvancedDev/3rdParty#x1._Enable_insecure_login

I tested the insecure login and the view is working fine. However, when is coming in the iframe we do not have any display. Please note that this was working just before we did the upgrade.

This is my HTML code

<meta http-equiv="X-Frame-Options" content="allow" />
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

<meta http-equiv="X-Frame-Options" content="allow" />

Splunk Stuff


<!-- content starts here -->

Test for insecure login


This is my view code


sourcetype="tpharma_admin" | timechart span="5m" avg(zCPU_IDLE) by source
-24h

line
time
right
FAST Admin Idle_CPU
<!-- Set Y axis to 100 -->
100
<!-- Time Range Button -->

Last 24 hours
True

<!-- Define JSChart insteadn of FlashChart -->



<module name="HiddenSearch" autoRun="True" layoutPanel="panel_row2_col1">
            <param name="search">sourcetype="tpharma_admin" | timechart span="5m" avg(free_memory) by source</param>
            <param name="earliest">-24h</param>
            <module name="HiddenChartFormatter">
            <param name="chart">column</param>
                            <param name="primaryAxisTitle.text">time</param>
    <param name="legend.placement">right</param>
    <param name="chartTitle">FAST Admin free_mem</param>
    <!--  Time Range Button  -->
    <module name="TimeRangePicker">
                            <param name="selected">Last 24 hours</param>
                            <param name="searchWhenChanged">True</param>
    <module name="JobProgressIndicator"/>
    <!--  Define JSChart  -->
    <module name="JSChart"/>
</module>
 </module>
      </module>
</view>

Thanks,
Dan

Tags (2)
1 Solution

hexx
Splunk Employee
Splunk Employee

In 5.0.5 and 6.0, as part of a security-related fix (reference SPL-65987) we disabled the ability to insecurely embed content on a remote site by default.

To restore this capability, you now need to make an explicit change in web.conf to the x_frame_options_sameorigin parameter and set it to False:

x_frame_options_sameorigin = [True | False]
    * adds a X-Frame-Options header set to "SAMEORIGIN" to every response served by cherrypy
    * Defaults to True

View solution in original post

piebob
Splunk Employee
Splunk Employee

a change was made in 5.0.5 and later versions to improve security and prevent clickjacking issues, this is what you're running into.

to implement this change, we set X-FRAME-OPTIONS=SAMEORIGIN in the header for all cherrypy served pages. this means that you can only iframe in pages coming from the same site.

we added a new web.conf setting: x_frame_options_sameorigin = [True | False] which defaults to True.

if you set this to False, your iframing will work again.

rroberts
Splunk Employee
Splunk Employee

Im on Splunk 6.1.3 and Im still seeing this problem: Refused to display 'https://sites.google.com/site/rickerlr/' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'. I have set in my $SPLUNK_HOME/etc/system/local/web.conf x_frame_options_sameorigin = False , restarted Splunk but still getting the same error. Ideas?

0 Karma

dannux
Path Finder

Thank you for your answer problem solved.

0 Karma

hexx
Splunk Employee
Splunk Employee

In 5.0.5 and 6.0, as part of a security-related fix (reference SPL-65987) we disabled the ability to insecurely embed content on a remote site by default.

To restore this capability, you now need to make an explicit change in web.conf to the x_frame_options_sameorigin parameter and set it to False:

x_frame_options_sameorigin = [True | False]
    * adds a X-Frame-Options header set to "SAMEORIGIN" to every response served by cherrypy
    * Defaults to True

vikashperiwal
Path Finder

Hi,

Do we any documentation for this type of issue , as it's with every upgrade 

 

I am havng same issue with Splunk 8.0.6, and the above is not helping me to load iframe 

Tried the same in web.conf 

 

 

 

 

0 Karma

splunkn
Communicator

hexx,

I was trying to embed iframe for "https://localhost:8089/services/" in my xml located in "http://localhost:8000".
But it throws an error as "Refused to display in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'"

So I have modified the above stanza in my web.conf as you stated above. However no luck.

Then I added the following stanza in my system/local server.conf. Then it works like a charm.

[httpServer]
x_frame_options_sameorigin = False

Is there any notable difference between these two stanzas in web.conf and server.conf? Why the error occured even-though i changed my web.conf?

Splunk Version : 6.3.0

rbardonetorian
Path Finder

Hello all,

As a follow up.. Would there be a config available to keep the security, though allow ONLY a specific address?

IE: Keep the setting "x_frame_options_sameorigin = [True ]" with an exception set to allow x.x.x.x\16 OR x.x.x.x OR URL string

Thanks!!

0 Karma

anandhalagarasa
Path Finder

@ rbardonetorian if you have any solution then kindly share the same since we also want to keep the x_frame_options as "True" and we want to allow only a particular URL so if you have any ideas then kindly share.

0 Karma

anandhalagarasa
Path Finder

Can anyone help on this

0 Karma

a212830
Champion

When using search-head pooling, which web.conf file would get updated for this issue?

0 Karma

dannux
Path Finder

Thank you for your answer problem solved.

0 Karma

ChrisG
Splunk Employee
Splunk Employee
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...