4 Replies Latest reply on Nov 8, 2018 9:33 AM by jaminsql

    Allow DPA Pages to Load in Frames (iframes)?

    mheydman

      I developed a utility a few years back that allows DPA pages to display slideshow-style. I have this running on an old laptop on a shelf above my desk. It runs continuously, and allows me to keep a watchful eye on my prod databases. The original ink to the project is here (freshly updated!): "DPA Rotator" - Automatically Cycle Through Important DPA Pages

       

      After recently upgrading DPA from 10.2 to 12, I see that the pages no longer load in frames:

      Refused to display 'http://myservername/iwc/database.iwc?db_id=11&repo_id=1&pm=P' in a frame because it set 'X-Frame-Options' to 'deny'.

       

       

      Is there some way to tweak a config file or existing html template to allow the pages to display in frames? I opened a support case and it was suggested that I create a feature request/idea on THWACK. I just thought I should pose the question here, in case there is a workaround that wouldn't require an application feature.

        • Re: Allow DPA Pages to Load in Frames (iframes)?
          jaminsql

          mheydman,

           

            The change for this was actually made in DPA 11.0 see the release notes here. DPA 11.0.387 Release Notes - SolarWinds Worldwide, LLC. Help and Support this was a change made for security. " 929798 Cross-site request forgery protection was added."

          Cross Site Request Forgery (CSRF) is a security feature that has been requested by some customers and in general is good practice.

           

          I can test to confirm this is the cause of what you are seeing and reply back. If this is the case as I suspect you can turn off the cross-site forgery protection with a DPA system.properties file change if you are not concerned about this security protection.

            • Re: Allow DPA Pages to Load in Frames (iframes)?
              mheydman

              Thanks for the clarification, jaminsql. I understand the security implications of disabling this cross-site forgery protection setting- since my DPA is only accessed via internal LAN this should not pose a problem. If there's a related config setting available in system.properties, that would be a great solution to my issue!

                • Re: Allow DPA Pages to Load in Frames (iframes)?
                  jaminsql

                  mheydman,

                   

                  After further testing on this item, it looks like I was incorrect on what changed this exactly though it did change in DPA 11.0. We made several security improvements

                  The item that changed this in 11.0 was actually a change as a result of upgrading to Spring 4.x and is considered a security enhancement, mainly for XSS (cross-site scripting). https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/appendix-namespace.html#nsa-frame-options

                   

                   

                  There is a system property that we can change in a config file that has to do with cross-site scripting but, on testing, it does not restore this option for iframes. There is a workaround but, as it requires changes to files that would be not in our regular config files so it is best as a feature request and perhaps sending you the details in your support case.

                    • Re: Allow DPA Pages to Load in Frames (iframes)?
                      jaminsql

                      Update to the thread here for anyone that would like to do this feature. We did find a solution that worked to enable this ability for IFrames again but, it requires some changes to files in DPA that will would be overwritten on a DPA upgrade. In general, when there is an easy config file change or system option that will help with something in DPA Support will share steps on what you change here on THWACK. As this change is outside of the normal config files we would like to know how many customers are looking for this change so we can track the demand for this feature.

                       

                      Please open a support ticket if you would like the details.