Splunk Enterprise

How to use iframe in Splunk 8.x?

gilmanc
Explorer

Hi Folks,
Has anyone had success with using iframes in Splunk Enterprise 8.x yet? I have tested in multiple 8.0.1 environments and the panel fails to load, while the same code is working on 7.0.0 and 7.3.1 environments. Nothing I have seen from older posts is working yet. Here is the simple XML to try:

<panel>
  <title>COVID test for iFrame compatibility</title>
  <html>
    <center>
      <iframe src="https://covid-19.splunkforgood.com/coronavirus__covid_19_" width="100%" height="800px"/>
    </center>
  </html>
</panel>
Labels (1)
1 Solution

sbland_splunk
Splunk Employee
Splunk Employee

May want to check on the web.conf in your app/default/ folder. If it doesn't exist, you can create one and add the configurations that you want within your app. iframe is disabled in Splunk 8 by default for security reasons.

https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Webconf

[settings] 

dashboard_html_allow_embeddable_content= true/false
dashboard_html_allow_iframes = true/false (default = false)

***** From the URL related to web.conf

dashboard_html_allow_inline_styles = <boolean>
* Whether or not to allow style attributes from inline HTML elements in dashboards.
* If "false", style attributes from inline HTML elements in dashboards will be removed 
  to prevent potential attacks.
* Default: true

dashboard_html_allow_embeddable_content = <boolean>
* Whether or not to allow <embed> and <iframe> HTML elements in dashboards.
* If set to "true", <embed> and <iframe> HTML elements in dashboards will not be removed 
  and can lead to a potential security risk.
* If set to the default value of "false", <embed> and <iframe> HTML elements will be stripped
  from the dashboard HTML.
* Default: false

dashboard_html_wrap_embed = <boolean>
* Whether or not to wrap <embed> HTML elements in dashboards with an <iframe>.
* If set to "false", <embed> HTML elements in dashboards will not be wrapped, leading to
  a potential security risk.
* If set to "true", <embed> HTML elements will be wrapped by an <iframe sandbox> element to help
  mitigate potential security risks.
* Default: true

dashboard_html_allow_iframes = <boolean>
* Whether or not to allow iframes from HTML elements in dashboards.
* If "false", iframes from HTML elements in dashboards will be removed to prevent
  potential attacks.
* Default: true

View solution in original post

worshamn
Contributor

I was still having this problem in 8.0.6 despite having the the following settings set to true (was trying to view an embedded report from another Splunk server):

dashboard_html_allowed_embeddable_content = true
dashboard_html_allow_iframes = true


What ultimately fixed it in our case was upgrading to 8.1.0 and adding the new setting dashboard_html_allowed_domains and setting the specific hostname and port (would not work with just the hostname or wildcard domain for some reason) like so:

dashboard_html_allowed_domains = <hostname>.<company_domain>:8000

 

mjones414
Contributor

Has something changed in 8.2.3 that would have broken this functionality?

We had this working up until a recent splunk upgrade and then it suddenly stopped:  I've confirmed that we are using the options above as well as the following sandbox options:

<iframe sandbox="allow-same-origin allow-scripts allow-popups allow-forms" src="/app/lookup_editor/lookup_edit?lookup=$watchlist$&amp;namespace=MyAppTest&amp;type=csv&amp;owner=nobody" width="100%" height="400" border="0" frameborder="0"/>


Now it just says loading....

0 Karma

sanderdenheijer
Explorer

Adding the following to web.conf fixed it for me, using Splunk 8.1.3:

[settings]
dashboard_html_allowed_embeddable_content = true
dashboard_html_allowed_domains = <hostname>.<company_domain>:8000

=== Addition ===

Above settings worked for a single instance.

In our clustered environment I got it working for accounts that log in using SAML by adding the following to web.conf:

[settings]
dashboard_html_allowed_embeddable_content = true
dashboard_html_allowed_domains = <hostname>.<company_domain>:8000, microsoftonline.com
x_frame_options_sameorigin = false

 Local accounts still get an error.

When looking at the console of my browser (F12 -> Console), I saw a 404 error mentioning the second domain that needed to be allowed.

Hope this helps!

0 Karma

gilmanc
Explorer

See @sbland_splunk's answer for the solution
Set dashboard_html_allow_embeddable_content = true in local web.conf settings stanza

0 Karma

sbland_splunk
Splunk Employee
Splunk Employee

May want to check on the web.conf in your app/default/ folder. If it doesn't exist, you can create one and add the configurations that you want within your app. iframe is disabled in Splunk 8 by default for security reasons.

https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Webconf

[settings] 

dashboard_html_allow_embeddable_content= true/false
dashboard_html_allow_iframes = true/false (default = false)

***** From the URL related to web.conf

dashboard_html_allow_inline_styles = <boolean>
* Whether or not to allow style attributes from inline HTML elements in dashboards.
* If "false", style attributes from inline HTML elements in dashboards will be removed 
  to prevent potential attacks.
* Default: true

dashboard_html_allow_embeddable_content = <boolean>
* Whether or not to allow <embed> and <iframe> HTML elements in dashboards.
* If set to "true", <embed> and <iframe> HTML elements in dashboards will not be removed 
  and can lead to a potential security risk.
* If set to the default value of "false", <embed> and <iframe> HTML elements will be stripped
  from the dashboard HTML.
* Default: false

dashboard_html_wrap_embed = <boolean>
* Whether or not to wrap <embed> HTML elements in dashboards with an <iframe>.
* If set to "false", <embed> HTML elements in dashboards will not be wrapped, leading to
  a potential security risk.
* If set to "true", <embed> HTML elements will be wrapped by an <iframe sandbox> element to help
  mitigate potential security risks.
* Default: true

dashboard_html_allow_iframes = <boolean>
* Whether or not to allow iframes from HTML elements in dashboards.
* If "false", iframes from HTML elements in dashboards will be removed to prevent
  potential attacks.
* Default: true

vishwa0220
Engager

But while executing inspect over that application which has settings in web.conf its giving error -

splunk-appinspect | Web.conf File Standards Ensure that web.conf is safe for cloud deployment and
splunk-appinspect | that any exposed patterns match endpoints defined by the app - apps should not
splunk-appinspect | expose endpoints other than their own. Including web.conf can have adverse
splunk-appinspect | impacts for cloud. Allow only [endpoint:*] and [expose:*] stanzas, with expose
splunk-appinspect | only containing pattern= and methods= properties. web.conf
splunk-appinspect | Check that web.conf only defines [endpoint:] and [expose:] stanzas,
splunk-appinspect | with [expose:*] only containing pattern= and methods=.
splunk-appinspect | FAILURE: Only the [endpoint:*] and [expose:*] stanzas are
splunk-appinspect | permitted in web.conf for cloud. Please remove this stanza from
splunk-appinspect | web.conf: [settings]. File: default/web.conf Line Number: 1

0 Karma

gilmanc
Explorer

@sbland_splunk Thank you, this did it for me! I also heard back from Support via a ticket with the same response. For my environment, dashboard_html_allow_iframes was set to true and dashboard_html_allow_embeddable_content was set to false by default. So I had to add to my etc\system\local\web.conf the dashboard_html_allow_embeddable_content = true under [settings] and it worked after a restart!
Some other good details from Support:
Based on the description of the case, after reviewing the Splunk documentation for Splunk version 8.0.1, I found out that Splunk has removed some features in version 8.0.x, including
<iframe> and <embed>, please take a look on below link which contains the information about it:
https://docs.splunk.com/Documentation/Splunk/8.0.3/ReleaseNotes/Deprecatedfeatures#Removed_features_... In the above link it is recommended to use "html_allow_embeddable_content" flag in web.conf instead of <iframe> and <embed>.

0 Karma

woodcock
Esteemed Legend

I definitely would open a support case on this.

0 Karma

PavelP
Motivator

Hello gilmanc,

here is an example from Splunk Dashboard Examples app (https://splunkbase.splunk.com/app/1603/):

<dashboard>
  <label>Dashboard Display Controls</label>
  <description>Turn on or off display of common components like the header, title, edit controls.</description>
  <row>
    <panel>
      <html>
        <h2>Example iframe of a dashboard</h2>
        <p>Uses display controls via the http get param</p>
        <code>
          <![CDATA[<iframe src="/app/simple_xml_examples/simple_display_controls_example?hideChrome=true&hideEdit=true">]]>
        </code>


        <iframe src="/app/simple_xml_examples/simple_display_controls_example?hideChrome=true&amp;hideEdit=true" width="100%" height="400" border="0" frameborder="0"/>
      </html>
    </panel>
  </row>
</dashboard>

the simple XML reference (https://docs.splunk.com/Documentation/Splunk/8.0.2/Viz/PanelreferenceforSimplifiedXML#html) shows three ways to use src attribute, all of them point to the file on the same splunk server:

  • HTML file from the same app context
  • HTML file from a different app context
  • Image file

Until somebody corrects me, it seems that it is not possible to embed a web page from a remote server using iframe. Splunk converts html from simple XML to a javascript variable and builds the dashboard dynamically, sanitizing the input - where ( I think ) external references are being filtered out.

gilmanc
Explorer

Hi @PavelP,
Thanks for pointing me this way for some reference. This page in the app fails to load the iframe referenced in the code in my 8.0.1 production and development environments. I checked my 7.3.1 environment and it loads correctly. This is essentially the problem I'm still having - that iframe doesn't seem to be working in 8.0.1 for me.

For images, I tend to use img instead of iframe, but good to know that is an option.

To your last point, I am able to load a remote web page using iframe in 7.3.1 and 7.0.0 environments and have done so with many different web pages. The exact XML above works in those 7.x environments.

0 Karma

PavelP
Motivator

Thank you @gilmanc for the feedback, good to know! Never used iframe for a dashboard before. I hope you'll figure it out why it doesn't work.

0 Karma
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...