Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Adamkimm1
Contributor
Contributor
‎2020-03-10 10:45 AM

Refuse to display iFrame due to frame-ancestor

I'm trying to embed a sheet, created on my qlikcloud instance, into a custom web app that I'm hosting locally (localhost:8080) but I'm getting the error "Refused to display [url] in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' localhost:8080"."

 

As you can see form the error I've added a CSP policy for frame-ancestor with the origin "localhost:8080" but it doesn't seem to work. I've tried the creating a policy with "https://jsfiddle.net" just to see if it's some weird issue with localhost but that didn't work either.

 

I'm not sure if I'm misunderstanding how Qlik's CSPs work but it's seriously slowing me down.

 

2020-03-10_10-42-43.png

Labels (8)
14,541 Views
0 Likes
1 Solution

Accepted Solutions
han
Employee
Employee
‎2020-03-10 03:32 PM

Hi

Could you verify that your local server is using HTTPS since the CSP will enforce upgrade to secure connection. This is by design after discussions with our Security Experts.

 

And in the case of jsfiddle I think that the "IDE" is on that URL/Origin but the rendered viewport is in a IFRAME with some other URL/Origin (something like: https://fiddle.jshell.net)

View solution in original post

14,511 Views
3 Replies
han
Employee
Employee
‎2020-03-10 03:32 PM

Hi

Could you verify that your local server is using HTTPS since the CSP will enforce upgrade to secure connection. This is by design after discussions with our Security Experts.

 

And in the case of jsfiddle I think that the "IDE" is on that URL/Origin but the rendered viewport is in a IFRAME with some other URL/Origin (something like: https://fiddle.jshell.net)

14,512 Views
Adamkimm1
Contributor
Contributor
‎2020-03-11 11:16 AM
Author

In response to han

Thanks Han! It was that my local server was on HTTP, rather than HTTPS. Not sure about the JSFiddle but not really interested at this point anymore.

For anyone wondering, I was able to make my local server run on HTTPS by changing start script to "HTTPS=true react-scripts start" (note: this was using create-react-app).

14,472 Views
david_hg96
Partner - Contributor III
Partner - Contributor III
‎2024-02-02 07:59 AM

In response to Adamkimm1

Thanks a lot @Adamkimm1 

 

667 Views