Re: Impossible to embed iframes because of CSP anc... - Qlik Community

carloelan42 · ‎2022-05-19

I need to embed a Qlik Sense App in an external webpage (mashup), accessible without authentication.

According to this:
https://community.qlik.com/t5/Knowledge/Qlik-Sense-SaaS-does-not-display-in-a-frame-because-an-ances...

"The correct way is to add the hostname of the server that hosts the mashup as frame-ancestors in Content Security Policy in the console".

I set up a CSP policy with such hostname (I tried different combinations: the techinical hostname of the Linux server, the public domain, and the subdomain which is the one actually serving the iframe), but in all cases the error in the JS console is the same:

Refused to frame 'https://login.qlik.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".

So, why "none"? Shouldn't it be the hostname that I specify?

Anyway, as stated at the beginning, I just need a way to embed an iframe without asking for user login. Thank you and kind regards.

Andrew_Delaney · ‎2022-05-30

This suggests that there may be something else that is injecting the CSP header and overwriting the Qlik Sense setting.

Are you able to try connecting using a different net connection or outside of a VPN?

Hinovia · ‎2022-05-30

Hello,
We tried with different locations and there is no VPN involved.

Andrew_Delaney · ‎2022-06-09

Can you share what CSP you have entered in the console?

Impossible to embed iframes because of CSP ancestor policy

SaaS