Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2025! Where innovative solutions turn your data visions into reality: REGISTER TODAY
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Adamkimm1
Contributor
Contributor
‎2020-03-10 10:45 AM

Refuse to display iFrame due to frame-ancestor

I'm trying to embed a sheet, created on my qlikcloud instance, into a custom web app that I'm hosting locally (localhost:8080) but I'm getting the error "Refused to display [url] in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' localhost:8080"."

 

As you can see form the error I've added a CSP policy for frame-ancestor with the origin "localhost:8080" but it doesn't seem to work. I've tried the creating a policy with "https://jsfiddle.net" just to see if it's some weird issue with localhost but that didn't work either.

 

I'm not sure if I'm misunderstanding how Qlik's CSPs work but it's seriously slowing me down.

 

2020-03-10_10-42-43.png

Labels (4)
Labels
16,752 Views
0 Likes
1 Solution

Accepted Solutions
han
Employee
Employee
‎2020-03-10 03:32 PM

Hi

Could you verify that your local server is using HTTPS since the CSP will enforce upgrade to secure connection. This is by design after discussions with our Security Experts.

 

And in the case of jsfiddle I think that the "IDE" is on that URL/Origin but the rendered viewport is in a IFRAME with some other URL/Origin (something like: https://fiddle.jshell.net)

View solution in original post

16,722 Views
3 Replies
han
Employee
Employee
‎2020-03-10 03:32 PM

Hi

Could you verify that your local server is using HTTPS since the CSP will enforce upgrade to secure connection. This is by design after discussions with our Security Experts.

 

And in the case of jsfiddle I think that the "IDE" is on that URL/Origin but the rendered viewport is in a IFRAME with some other URL/Origin (something like: https://fiddle.jshell.net)

16,723 Views
Adamkimm1
Contributor
Contributor
‎2020-03-11 11:16 AM
Author

In response to han

Thanks Han! It was that my local server was on HTTP, rather than HTTPS. Not sure about the JSFiddle but not really interested at this point anymore.

For anyone wondering, I was able to make my local server run on HTTPS by changing start script to "HTTPS=true react-scripts start" (note: this was using create-react-app).

16,683 Views
david_hg96
Partner - Contributor III
Partner - Contributor III
‎2024-02-02 07:59 AM

In response to Adamkimm1

Thanks a lot @Adamkimm1 

 

2,878 Views