Splunk Enterprise

How to use iframe in Splunk 8.x?

gilmanc
Explorer

Hi Folks,
Has anyone had success with using iframes in Splunk Enterprise 8.x yet? I have tested in multiple 8.0.1 environments and the panel fails to load, while the same code is working on 7.0.0 and 7.3.1 environments. Nothing I have seen from older posts is working yet. Here is the simple XML to try:

<panel>
  <title>COVID test for iFrame compatibility</title>
  <html>
    <center>
      <iframe src="https://covid-19.splunkforgood.com/coronavirus__covid_19_" width="100%" height="800px"/>
    </center>
  </html>
</panel>
Labels (1)
1 Solution

sbland_splunk
Splunk Employee
Splunk Employee

May want to check on the web.conf in your app/default/ folder. If it doesn't exist, you can create one and add the configurations that you want within your app. iframe is disabled in Splunk 8 by default for security reasons.

https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Webconf

[settings] 

dashboard_html_allow_embeddable_content= true/false
dashboard_html_allow_iframes = true/false (default = false)

***** From the URL related to web.conf

dashboard_html_allow_inline_styles = <boolean>
* Whether or not to allow style attributes from inline HTML elements in dashboards.
* If "false", style attributes from inline HTML elements in dashboards will be removed 
  to prevent potential attacks.
* Default: true

dashboard_html_allow_embeddable_content = <boolean>
* Whether or not to allow <embed> and <iframe> HTML elements in dashboards.
* If set to "true", <embed> and <iframe> HTML elements in dashboards will not be removed 
  and can lead to a potential security risk.
* If set to the default value of "false", <embed> and <iframe> HTML elements will be stripped
  from the dashboard HTML.
* Default: false

dashboard_html_wrap_embed = <boolean>
* Whether or not to wrap <embed> HTML elements in dashboards with an <iframe>.
* If set to "false", <embed> HTML elements in dashboards will not be wrapped, leading to
  a potential security risk.
* If set to "true", <embed> HTML elements will be wrapped by an <iframe sandbox> element to help
  mitigate potential security risks.
* Default: true

dashboard_html_allow_iframes = <boolean>
* Whether or not to allow iframes from HTML elements in dashboards.
* If "false", iframes from HTML elements in dashboards will be removed to prevent
  potential attacks.
* Default: true

View solution in original post

worshamn
Contributor

I was still having this problem in 8.0.6 despite having the the following settings set to true (was trying to view an embedded report from another Splunk server):

dashboard_html_allowed_embeddable_content = true
dashboard_html_allow_iframes = true


What ultimately fixed it in our case was upgrading to 8.1.0 and adding the new setting dashboard_html_allowed_domains and setting the specific hostname and port (would not work with just the hostname or wildcard domain for some reason) like so:

dashboard_html_allowed_domains = <hostname>.<company_domain>:8000

 

mjones414
Contributor

Has something changed in 8.2.3 that would have broken this functionality?

We had this working up until a recent splunk upgrade and then it suddenly stopped:  I've confirmed that we are using the options above as well as the following sandbox options:

<iframe sandbox="allow-same-origin allow-scripts allow-popups allow-forms" src="/app/lookup_editor/lookup_edit?lookup=$watchlist$&amp;namespace=MyAppTest&amp;type=csv&amp;owner=nobody" width="100%" height="400" border="0" frameborder="0"/>


Now it just says loading....

0 Karma

sanderdenheijer
Explorer

Adding the following to web.conf fixed it for me, using Splunk 8.1.3:

[settings]
dashboard_html_allowed_embeddable_content = true
dashboard_html_allowed_domains = <hostname>.<company_domain>:8000

=== Addition ===

Above settings worked for a single instance.

In our clustered environment I got it working for accounts that log in using SAML by adding the following to web.conf:

[settings]
dashboard_html_allowed_embeddable_content = true
dashboard_html_allowed_domains = <hostname>.<company_domain>:8000, microsoftonline.com
x_frame_options_sameorigin = false

 Local accounts still get an error.

When looking at the console of my browser (F12 -> Console), I saw a 404 error mentioning the second domain that needed to be allowed.

Hope this helps!

0 Karma

gilmanc
Explorer

See @sbland_splunk's answer for the solution
Set dashboard_html_allow_embeddable_content = true in local web.conf settings stanza

0 Karma

sbland_splunk
Splunk Employee
Splunk Employee

May want to check on the web.conf in your app/default/ folder. If it doesn't exist, you can create one and add the configurations that you want within your app. iframe is disabled in Splunk 8 by default for security reasons.

https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Webconf

[settings] 

dashboard_html_allow_embeddable_content= true/false
dashboard_html_allow_iframes = true/false (default = false)

***** From the URL related to web.conf

dashboard_html_allow_inline_styles = <boolean>
* Whether or not to allow style attributes from inline HTML elements in dashboards.
* If "false", style attributes from inline HTML elements in dashboards will be removed 
  to prevent potential attacks.
* Default: true

dashboard_html_allow_embeddable_content = <boolean>
* Whether or not to allow <embed> and <iframe> HTML elements in dashboards.
* If set to "true", <embed> and <iframe> HTML elements in dashboards will not be removed 
  and can lead to a potential security risk.
* If set to the default value of "false", <embed> and <iframe> HTML elements will be stripped
  from the dashboard HTML.
* Default: false

dashboard_html_wrap_embed = <boolean>
* Whether or not to wrap <embed> HTML elements in dashboards with an <iframe>.
* If set to "false", <embed> HTML elements in dashboards will not be wrapped, leading to
  a potential security risk.
* If set to "true", <embed> HTML elements will be wrapped by an <iframe sandbox> element to help
  mitigate potential security risks.
* Default: true

dashboard_html_allow_iframes = <boolean>
* Whether or not to allow iframes from HTML elements in dashboards.
* If "false", iframes from HTML elements in dashboards will be removed to prevent
  potential attacks.
* Default: true

vishwa0220
Engager

But while executing inspect over that application which has settings in web.conf its giving error -

splunk-appinspect | Web.conf File Standards Ensure that web.conf is safe for cloud deployment and
splunk-appinspect | that any exposed patterns match endpoints defined by the app - apps should not
splunk-appinspect | expose endpoints other than their own. Including web.conf can have adverse
splunk-appinspect | impacts for cloud. Allow only [endpoint:*] and [expose:*] stanzas, with expose
splunk-appinspect | only containing pattern= and methods= properties. web.conf
splunk-appinspect | Check that web.conf only defines [endpoint:] and [expose:] stanzas,
splunk-appinspect | with [expose:*] only containing pattern= and methods=.
splunk-appinspect | FAILURE: Only the [endpoint:*] and [expose:*] stanzas are
splunk-appinspect | permitted in web.conf for cloud. Please remove this stanza from
splunk-appinspect | web.conf: [settings]. File: default/web.conf Line Number: 1

0 Karma

gilmanc
Explorer

@sbland_splunk Thank you, this did it for me! I also heard back from Support via a ticket with the same response. For my environment, dashboard_html_allow_iframes was set to true and dashboard_html_allow_embeddable_content was set to false by default. So I had to add to my etc\system\local\web.conf the dashboard_html_allow_embeddable_content = true under [settings] and it worked after a restart!
Some other good details from Support:
Based on the description of the case, after reviewing the Splunk documentation for Splunk version 8.0.1, I found out that Splunk has removed some features in version 8.0.x, including
<iframe> and <embed>, please take a look on below link which contains the information about it:
https://docs.splunk.com/Documentation/Splunk/8.0.3/ReleaseNotes/Deprecatedfeatures#Removed_features_... In the above link it is recommended to use "html_allow_embeddable_content" flag in web.conf instead of <iframe> and <embed>.

0 Karma

woodcock
Esteemed Legend

I definitely would open a support case on this.

0 Karma

PavelP
Motivator

Hello gilmanc,

here is an example from Splunk Dashboard Examples app (https://splunkbase.splunk.com/app/1603/):

<dashboard>
  <label>Dashboard Display Controls</label>
  <description>Turn on or off display of common components like the header, title, edit controls.</description>
  <row>
    <panel>
      <html>
        <h2>Example iframe of a dashboard</h2>
        <p>Uses display controls via the http get param</p>
        <code>
          <![CDATA[<iframe src="/app/simple_xml_examples/simple_display_controls_example?hideChrome=true&hideEdit=true">]]>
        </code>


        <iframe src="/app/simple_xml_examples/simple_display_controls_example?hideChrome=true&amp;hideEdit=true" width="100%" height="400" border="0" frameborder="0"/>
      </html>
    </panel>
  </row>
</dashboard>

the simple XML reference (https://docs.splunk.com/Documentation/Splunk/8.0.2/Viz/PanelreferenceforSimplifiedXML#html) shows three ways to use src attribute, all of them point to the file on the same splunk server:

  • HTML file from the same app context
  • HTML file from a different app context
  • Image file

Until somebody corrects me, it seems that it is not possible to embed a web page from a remote server using iframe. Splunk converts html from simple XML to a javascript variable and builds the dashboard dynamically, sanitizing the input - where ( I think ) external references are being filtered out.

gilmanc
Explorer

Hi @PavelP,
Thanks for pointing me this way for some reference. This page in the app fails to load the iframe referenced in the code in my 8.0.1 production and development environments. I checked my 7.3.1 environment and it loads correctly. This is essentially the problem I'm still having - that iframe doesn't seem to be working in 8.0.1 for me.

For images, I tend to use img instead of iframe, but good to know that is an option.

To your last point, I am able to load a remote web page using iframe in 7.3.1 and 7.0.0 environments and have done so with many different web pages. The exact XML above works in those 7.x environments.

0 Karma

PavelP
Motivator

Thank you @gilmanc for the feedback, good to know! Never used iframe for a dashboard before. I hope you'll figure it out why it doesn't work.

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...