DX NetOps

Hello

I was trying to add a browser view into a dashboard but I got a "blocked content error"

What is the prerequisite in terms of connectivity that is needed to have a browser view displayed in DX NetOps?

Thank you.

BR
Bruno Sousa

I have also had a problem trying to build the Web View...and most other app Add-Ins as well.

Please include me in this solution?

Thanks,
David

------------------------------
[JobTitle]
------------------------------

Original Message:
Sent: 10-08-2021 09:50 AM
From: Bruno Sousa
Subject: Browser view doubt

Hello

I was trying to add a browser view into a dashboard but I got a "blocked content error"

What is the prerequisite in terms of connectivity that is needed to have a browser view displayed in DX NetOps?

Thank you.

BR
Bruno Sousa

So the issue is due to security headers.

There is a SSO Config option:  "Allow Performance Center in a frame:"  and in newer versions:  "Custom HTTP headers to be added to our responses:"

The Allow PC in a frame (deprecated in 21.2.x when we added Custom HTTP headers and a default value) when disabled (by default), would set the HTTP header:  X-Frame-Options: SAMEORIGIN.   What this did was make it so PC couldn't be included in an external portal page.

This same idea is what other sites are doing.  Browser view just creates a <iframe src="provided-URL"> and then the browser handles loading or rejecting the URL inside the src=.    I just setup a browser view for like google.com, bbc.com, some others, and they all fail to load, even with Allow PC in a frame enabled.   When I right click the big error box and choose show frame source, it actually shows me the source for google or bbc.   So it's not PC blocking the contents but the source web site telling browser to not allow in an iframe via response headers mentioned above.

The App View refers to apps installed on the PC machine, so the source URL is always the PC, aka SAMEORIGIN.

Original Message:
Sent: 10-08-2021 09:50 AM
From: Bruno Sousa
Subject: Browser view doubt

Hello

I was trying to add a browser view into a dashboard but I got a "blocked content error"

What is the prerequisite in terms of connectivity that is needed to have a browser view displayed in DX NetOps?

Thank you.

BR
Bruno Sousa

To followup...

The fix is to get the site you are trying to load inside a browser view, to not set X-Frame-Options or set to a value that allows it to be embedded in an remote iframe.  That goes for any Content-Security-Policy: HTTP header provided by the source site.

If these are internet sites being included, you are probably no longer gonna be able to include them.  But if they are intranet sites, you would need to talk to the person running those websites and see about loosening/removing the above headers.  But they may be required to set them as they do, due to security concerns.
Original Message:
Sent: 10-08-2021 12:37 PM
From: JEFFREY PINARD
Subject: Browser view doubt

So the issue is due to security headers.

There is a SSO Config option:  "Allow Performance Center in a frame:"  and in newer versions:  "Custom HTTP headers to be added to our responses:"

The Allow PC in a frame (deprecated in 21.2.x when we added Custom HTTP headers and a default value) when disabled (by default), would set the HTTP header:  X-Frame-Options: SAMEORIGIN.   What this did was make it so PC couldn't be included in an external portal page.

This same idea is what other sites are doing.  Browser view just creates a <iframe src="provided-URL"> and then the browser handles loading or rejecting the URL inside the src=.    I just setup a browser view for like google.com, bbc.com, some others, and they all fail to load, even with Allow PC in a frame enabled.   When I right click the big error box and choose show frame source, it actually shows me the source for google or bbc.   So it's not PC blocking the contents but the source web site telling browser to not allow in an iframe via response headers mentioned above.

The App View refers to apps installed on the PC machine, so the source URL is always the PC, aka SAMEORIGIN.

Original Message:
Sent: 10-08-2021 09:50 AM
From: Bruno Sousa
Subject: Browser view doubt

Hello

I was trying to add a browser view into a dashboard but I got a "blocked content error"

What is the prerequisite in terms of connectivity that is needed to have a browser view displayed in DX NetOps?

Thank you.

BR
Bruno Sousa

Jeffrey,

Regarding the SSO option that you mention below for PC: if I set the option
Original Message:
Sent: 10-08-2021 01:42 PM
From: JEFFREY PINARD
Subject: Browser view doubt

To followup...

The fix is to get the site you are trying to load inside a browser view, to not set X-Frame-Options or set to a value that allows it to be embedded in an remote iframe.  That goes for any Content-Security-Policy: HTTP header provided by the source site.

If these are internet sites being included, you are probably no longer gonna be able to include them.  But if they are intranet sites, you would need to talk to the person running those websites and see about loosening/removing the above headers.  But they may be required to set them as they do, due to security concerns.
Original Message:
Sent: 10-08-2021 12:37 PM
From: JEFFREY PINARD
Subject: Browser view doubt

So the issue is due to security headers.

There is a SSO Config option:  "Allow Performance Center in a frame:"  and in newer versions:  "Custom HTTP headers to be added to our responses:"

The Allow PC in a frame (deprecated in 21.2.x when we added Custom HTTP headers and a default value) when disabled (by default), would set the HTTP header:  X-Frame-Options: SAMEORIGIN.   What this did was make it so PC couldn't be included in an external portal page.

This same idea is what other sites are doing.  Browser view just creates a <iframe src="provided-URL"> and then the browser handles loading or rejecting the URL inside the src=.    I just setup a browser view for like google.com, bbc.com, some others, and they all fail to load, even with Allow PC in a frame enabled.   When I right click the big error box and choose show frame source, it actually shows me the source for google or bbc.   So it's not PC blocking the contents but the source web site telling browser to not allow in an iframe via response headers mentioned above.

The App View refers to apps installed on the PC machine, so the source URL is always the PC, aka SAMEORIGIN.

Original Message:
Sent: 10-08-2021 09:50 AM
From: Bruno Sousa
Subject: Browser view doubt

Hello

I was trying to add a browser view into a dashboard but I got a "blocked content error"

What is the prerequisite in terms of connectivity that is needed to have a browser view displayed in DX NetOps?

Thank you.

BR
Bruno Sousa

Yes, it is live, but that will only allow PC to be included in another portal page.  It will not fix including other pages being included in a browser view.  There is no need to enable this unless you want to include a PC view in another application web page.

NOTE: In 21.2.1, we no longer use the "Allow Performance Center in a frame".  We just use Custom Headers setting, as it controls all the security headers that can be set.  In there are the settings for "Allow Performance Center in a frame".

"X-Frame-Options", "SAMEORIGIN", "Content-Security-Policy", "child-src 'self'"

Original Message:
Sent: 10-11-2021 04:36 AM
From: Bruno Sousa
Subject: Browser view doubt

Jeffrey,

Regarding the SSO option that you mention below for PC: if I set the option

Allow Performance Center in a frame (Local Override)

Do I need to restart PC in order for the setting to be applied?

Thank you.

BR
Bruno Sousa

Original Message:
Sent: 10-08-2021 01:42 PM
From: JEFFREY PINARD
Subject: Browser view doubt

To followup...

The fix is to get the site you are trying to load inside a browser view, to not set X-Frame-Options or set to a value that allows it to be embedded in an remote iframe.  That goes for any Content-Security-Policy: HTTP header provided by the source site.

If these are internet sites being included, you are probably no longer gonna be able to include them.  But if they are intranet sites, you would need to talk to the person running those websites and see about loosening/removing the above headers.  But they may be required to set them as they do, due to security concerns.
Original Message:
Sent: 10-08-2021 12:37 PM
From: JEFFREY PINARD
Subject: Browser view doubt

So the issue is due to security headers.

There is a SSO Config option:  "Allow Performance Center in a frame:"  and in newer versions:  "Custom HTTP headers to be added to our responses:"

The Allow PC in a frame (deprecated in 21.2.x when we added Custom HTTP headers and a default value) when disabled (by default), would set the HTTP header:  X-Frame-Options: SAMEORIGIN.   What this did was make it so PC couldn't be included in an external portal page.

This same idea is what other sites are doing.  Browser view just creates a <iframe src="provided-URL"> and then the browser handles loading or rejecting the URL inside the src=.    I just setup a browser view for like google.com, bbc.com, some others, and they all fail to load, even with Allow PC in a frame enabled.   When I right click the big error box and choose show frame source, it actually shows me the source for google or bbc.   So it's not PC blocking the contents but the source web site telling browser to not allow in an iframe via response headers mentioned above.

The App View refers to apps installed on the PC machine, so the source URL is always the PC, aka SAMEORIGIN.

Original Message:
Sent: 10-08-2021 09:50 AM
From: Bruno Sousa
Subject: Browser view doubt

Hello

I was trying to add a browser view into a dashboard but I got a "blocked content error"

What is the prerequisite in terms of connectivity that is needed to have a browser view displayed in DX NetOps?

Thank you.

BR
Bruno Sousa

Jeff,
    So if I have installed Graffana on the DX NetOps Portal server, what settings would I need to change to allow Graffana to show it's results in one of the Browser View dashboards?

Thanks,
David

------------------------------
[JobTitle]
------------------------------

Original Message:
Sent: 10-11-2021 09:50 AM
From: JEFFREY PINARD
Subject: Browser view doubt

Yes, it is live, but that will only allow PC to be included in another portal page.  It will not fix including other pages being included in a browser view.  There is no need to enable this unless you want to include a PC view in another application web page.

NOTE: In 21.2.1, we no longer use the "Allow Performance Center in a frame".  We just use Custom Headers setting, as it controls all the security headers that can be set.  In there are the settings for "Allow Performance Center in a frame".

"X-Frame-Options", "SAMEORIGIN", "Content-Security-Policy", "child-src 'self'"

Original Message:
Sent: 10-11-2021 04:36 AM
From: Bruno Sousa
Subject: Browser view doubt

Jeffrey,

Regarding the SSO option that you mention below for PC: if I set the option

Allow Performance Center in a frame (Local Override)

Do I need to restart PC in order for the setting to be applied?

Thank you.

BR
Bruno Sousa

Original Message:
Sent: 10-08-2021 01:42 PM
From: JEFFREY PINARD
Subject: Browser view doubt

To followup...

The fix is to get the site you are trying to load inside a browser view, to not set X-Frame-Options or set to a value that allows it to be embedded in an remote iframe.  That goes for any Content-Security-Policy: HTTP header provided by the source site.

If these are internet sites being included, you are probably no longer gonna be able to include them.  But if they are intranet sites, you would need to talk to the person running those websites and see about loosening/removing the above headers.  But they may be required to set them as they do, due to security concerns.
Original Message:
Sent: 10-08-2021 12:37 PM
From: JEFFREY PINARD
Subject: Browser view doubt

So the issue is due to security headers.

There is a SSO Config option:  "Allow Performance Center in a frame:"  and in newer versions:  "Custom HTTP headers to be added to our responses:"

The Allow PC in a frame (deprecated in 21.2.x when we added Custom HTTP headers and a default value) when disabled (by default), would set the HTTP header:  X-Frame-Options: SAMEORIGIN.   What this did was make it so PC couldn't be included in an external portal page.

This same idea is what other sites are doing.  Browser view just creates a <iframe src="provided-URL"> and then the browser handles loading or rejecting the URL inside the src=.    I just setup a browser view for like google.com, bbc.com, some others, and they all fail to load, even with Allow PC in a frame enabled.   When I right click the big error box and choose show frame source, it actually shows me the source for google or bbc.   So it's not PC blocking the contents but the source web site telling browser to not allow in an iframe via response headers mentioned above.

The App View refers to apps installed on the PC machine, so the source URL is always the PC, aka SAMEORIGIN.

Original Message:
Sent: 10-08-2021 09:50 AM
From: Bruno Sousa
Subject: Browser view doubt

Hello

I was trying to add a browser view into a dashboard but I got a "blocked content error"

What is the prerequisite in terms of connectivity that is needed to have a browser view displayed in DX NetOps?

Thank you.

BR
Bruno Sousa

That may be considered SAMEORIGIN.   It's up to the browser to interpret if SAMEORIGIN is same machine, or same host:port.

The other header "Content-Security-Policy", "child-src 'self'" means the scheme://hostname:port must match.

But this only applies to the PC pages that we serve up.

Any external (even on same box) URLS must set their headers so they allow their content in another application.
If Graffana didn't specify either of these 2 headers, then it would most likely be allowed.  You'd have to see what default HTTP headers Graffana sends out with responses.

Here are the reference pages for the HTTP headers explained above.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

If self doesn't work on Graffana, I suspect if Graffana sets them, you might need to do child-src or frame-src with the PC URL  http(s)://PCHOST:PORT

example:  Content-Security-Policy: child-src 'https://myhostname:8182'

Original Message:
Sent: 10-11-2021 10:43 AM
From: David DuPre
Subject: Browser view doubt

Jeff,
    So if I have installed Graffana on the DX NetOps Portal server, what settings would I need to change to allow Graffana to show it's results in one of the Browser View dashboards?

Thanks,
David

------------------------------
[JobTitle]

Original Message:
Sent: 10-11-2021 09:50 AM
From: JEFFREY PINARD
Subject: Browser view doubt

Yes, it is live, but that will only allow PC to be included in another portal page.  It will not fix including other pages being included in a browser view.  There is no need to enable this unless you want to include a PC view in another application web page.

NOTE: In 21.2.1, we no longer use the "Allow Performance Center in a frame".  We just use Custom Headers setting, as it controls all the security headers that can be set.  In there are the settings for "Allow Performance Center in a frame".

"X-Frame-Options", "SAMEORIGIN", "Content-Security-Policy", "child-src 'self'"

Original Message:
Sent: 10-11-2021 04:36 AM
From: Bruno Sousa
Subject: Browser view doubt

Jeffrey,

Regarding the SSO option that you mention below for PC: if I set the option

Allow Performance Center in a frame (Local Override)

Do I need to restart PC in order for the setting to be applied?

Thank you.

BR
Bruno Sousa

Original Message:
Sent: 10-08-2021 01:42 PM
From: JEFFREY PINARD
Subject: Browser view doubt

To followup...

The fix is to get the site you are trying to load inside a browser view, to not set X-Frame-Options or set to a value that allows it to be embedded in an remote iframe.  That goes for any Content-Security-Policy: HTTP header provided by the source site.

If these are internet sites being included, you are probably no longer gonna be able to include them.  But if they are intranet sites, you would need to talk to the person running those websites and see about loosening/removing the above headers.  But they may be required to set them as they do, due to security concerns.
Original Message:
Sent: 10-08-2021 12:37 PM
From: JEFFREY PINARD
Subject: Browser view doubt

So the issue is due to security headers.

There is a SSO Config option:  "Allow Performance Center in a frame:"  and in newer versions:  "Custom HTTP headers to be added to our responses:"

The Allow PC in a frame (deprecated in 21.2.x when we added Custom HTTP headers and a default value) when disabled (by default), would set the HTTP header:  X-Frame-Options: SAMEORIGIN.   What this did was make it so PC couldn't be included in an external portal page.

This same idea is what other sites are doing.  Browser view just creates a <iframe src="provided-URL"> and then the browser handles loading or rejecting the URL inside the src=.    I just setup a browser view for like google.com, bbc.com, some others, and they all fail to load, even with Allow PC in a frame enabled.   When I right click the big error box and choose show frame source, it actually shows me the source for google or bbc.   So it's not PC blocking the contents but the source web site telling browser to not allow in an iframe via response headers mentioned above.

The App View refers to apps installed on the PC machine, so the source URL is always the PC, aka SAMEORIGIN.

Original Message:
Sent: 10-08-2021 09:50 AM
From: Bruno Sousa
Subject: Browser view doubt

Hello

I was trying to add a browser view into a dashboard but I got a "blocked content error"

What is the prerequisite in terms of connectivity that is needed to have a browser view displayed in DX NetOps?

Thank you.

BR
Bruno Sousa