Recently, I've been working on migration from Splunk 7 to Splunk 8. But I run into a little bit trouble with iframe. It was used to embed one of the dashboards within another dashboard, both of which are part of my Splunk app. And it was working fine with Splunk 7.3.X.
However, in Splunk 8.0.4 and 8.0.5, it seems not able to reference any of the dashboards within the Splunk instance. All it shows is "Loading...", but if it points to some website outside the Splunk instance, it works fine as shown in the screenshots below:
I've identified that it has nothing to do with the system web.conf/server.conf. I've enabled iframe and inline-style content and some other options, but they don't change the behavior of my iframe.
Then I investigated the network traffic using the browser inspector. It seems in Splunk 8 whenever dashboard visualization is starting to initialize, a GET request is sent like this: localhost:8000/en-us/config?autoload=1. And normally it should receive a response with a list of configuration settings. In my case, this request is sent twice. First time is for the initialization of the main dashboard and the second time is for that of the dashboard that is intended to load in the iframe. But the second request will never receive a correct response. Instead, it always says CORS Missing Allow Origin and thus it's always blocked by the browser.
OK, CORS then. But noooo, again, it has nothing to do with the CORS-related options in the system web.conf/server.conf. If I put a * to allow all cross-origin use, it says setting it to * won't allow the use of credentials. So it seems when this request is launched, it specifically asks to exchange credential and setting * to allow all corss-origin use do no allow exchange of crendentials. So I put 127.0.0.1:8000 localhost:8000 trying to white-list the local Splunk server. But it still doesn't work.
The behavioral difference between Splunk 7 and 8 is that, in Splunk 7, the localhost:8000/en-us/config?autoload=1request only sent once when the main dashboard is initializing. I'm guessing this is to improve the security features of the Splunk, but somehow it's killing iframe in my case...
So, has anyone encountered such issue? Is there a workaround to resolve it?