Allowing Seeq to be Embedded in Frames

Overview

Seeq is designed to leverage the full web browser experience, but some use cases want to embed visualizations into dashboards or other web pages. This is typically done by using frames or iframes. However, embedding websites is often seen as a security risk due to click jacking. Seeq provides configuration options the administrator can use to control whether third-party web applications are able to communicate with the Seeq server and render Seeq in an iframe.

These options are listed from least to most permissive. Here is an explanation of the settings involved in embedding Seeq in frames:

• The Network/Http/AllowedOrigins setting controls which remote origins (specified as URL(s) e.g. https://application.company.com) are allowed to communicate with the Seeq server from a web browser. The 'origin' header of all incoming HTTP requests is examined, and, if present, will be matched against this configuration option. If more than one origin URL is to be specified, use a comma to delimit them. All origins can be allowed by setting this option to '*' (without the quotes).

• The Network/Http/XFrameOptions and Network/Http/XFrameDomain settings work together to control whether Seeq can be embedded in an iframe.

No embedding

Disallow embedding Seeq in frames:

• Set Network/Http/XFrameOptions to DENY

Allow from Same Server (Default)

If the server hosting your dashboard or other frame is on the same server as Seeq, you can use SAMEORIGIN:

• Set Network/Http/XFrameOptions to SAMEORIGIN

Allow from another domain

For embedding Seeq between hosts, you must provide the allowed domain. Wildcards are not allowed, and protocols must match (eg http vs https):

• Set Network/Http/XFrameOptions to ALLOW-FROM

• Set Network/Http/XFrameDomain to http://example.com (multiple comma-separated domains are allowed, except in Internet Explorer 11 which only uses the first domain)

Allow from anywhere

This is the most permissive option. Allow embedding from anywhere by setting the options to ANY:

• Set Network/Http/XFrameOptions to ANY (Internet Explorer 11 allows only the first domain specified in the XFrameDomain setting)

Important notes

• The Seeq server must be secure (i.e. https)

• You’ll need to restart Seeq for the changes to take effect for it to work.

• Display of Seeq in a frame is not supported in Safari.

• The Content-Security-Policy header and frame-ancestors directive is used to enforce the configured behavior settings.

See also:

MDN X-Frame-Options documentation

Combating ClickJacking With X-Frame-Options