This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Allow DPA Pages to Load in Frames (iframes)?

mheydman over 5 years ago

I developed a utility a few years back that allows DPA pages to display slideshow-style. I have this running on an old laptop on a shelf above my desk. It runs continuously, and allows me to keep a watchful eye on my prod databases. The original ink to the project is here (freshly updated!): "DPA Rotator" - Automatically Cycle Through Important DPA Pages

After recently upgrading DPA from 10.2 to 12, I see that the pages no longer load in frames:

Refused to display 'myservername/.../database.iwc' in a frame because it set 'X-Frame-Options' to 'deny'.

Is there some way to tweak a config file or existing html template to allow the pages to display in frames? I opened a support case and it was suggested that I create a feature request/idea on THWACK. I just thought I should pose the question here, in case there is a workaround that wouldn't require an application feature.

0 jaminsql over 5 years ago

mheydman,
The change for this was actually made in DPA 11.0 see the release notes here. DPA 11.0.387 Release Notes - SolarWinds Worldwide, LLC. Help and Support this was a change made for security. " 929798 Cross-site request forgery protection was added."
Cross Site Request Forgery (CSRF) is a security feature that has been requested by some customers and in general is good practice.
I can test to confirm this is the cause of what you are seeing and reply back. If this is the case as I suspect you can turn off the cross-site forgery protection with a DPA system.properties file change if you are not concerned about this security protection.
Cancel
Vote Up 0 Vote Down

Cancel
0 mheydman over 5 years ago in reply to jaminsql

Thanks for the clarification, jaminsql. I understand the security implications of disabling this cross-site forgery protection setting- since my DPA is only accessed via internal LAN this should not pose a problem. If there's a related config setting available in system.properties, that would be a great solution to my issue!
Cancel
Vote Up 0 Vote Down

Cancel
0 jaminsql over 5 years ago in reply to mheydman

mheydman,
After further testing on this item, it looks like I was incorrect on what changed this exactly though it did change in DPA 11.0. We made several security improvements
The item that changed this in 11.0 was actually a change as a result of upgrading to Spring 4.x and is considered a security enhancement, mainly for XSS (cross-site scripting). https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/appendix-namespace.html#nsa-frame-options
There is a system property that we can change in a config file that has to do with cross-site scripting but, on testing, it does not restore this option for iframes. There is a workaround but, as it requires changes to files that would be not in our regular config files so it is best as a feature request and perhaps sending you the details in your support case.
Cancel
Vote Up 0 Vote Down

Cancel
0 jaminsql over 5 years ago in reply to jaminsql

Update to the thread here for anyone that would like to do this feature. We did find a solution that worked to enable this ability for IFrames again but, it requires some changes to files in DPA that will would be overwritten on a DPA upgrade. In general, when there is an easy config file change or system option that will help with something in DPA Support will share steps on what you change here on THWACK. As this change is outside of the normal config files we would like to know how many customers are looking for this change so we can track the demand for this feature.
Please open a support ticket if you would like the details.
Cancel
Vote Up 0 Vote Down

Cancel