View the original community article here
Last tested: Nov 7, 2018
Let's conquer this beast.
First things first. What the heck is an origin?
It's the combination of protocol, domain, and port:
{protocol}://{domain}:{port} --> https://developer.mozilla.org:443
OK, Got it. What about sameorigin?
It's a policy designed to prohibit the display of resources from a particular origin in the page of another, different origin. When Looker is embedded in an iframe, that iframe requests and displays data from Looker's origin, which is different than the parent page's origin. For example, if I embed a dashboard from a Looker instance in https://www.w3schools.com/tags/tryit.asp?filename=tryhtml_iframe, their origins are not the same.
Where does X-Frame-Options fit in?
The X-Frame-Options
HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in an iframe. Tying this back to sameorigin, when the X-Frame-Options
header is set to sameorigin, that means the iframe won't allow its contents to be rendered if the parent page has a different origin. So, you might be wondering, "how can Looker be embedded at all then?" That brings me to the most important point.
Looker doesn't include the X-Frame-Options: sameorigin
header in pages intended for embedding
This includes /dashboards, /looks, etc. This does not include /spaces, /admin, /login, etc.
When SSO embedding happens, the login url is hit and redirects to the embedded content. There are therefore two relevant network events to keep in mind: the login url and the content url.
The login url has the X-Frame-Options:sameorigin
header, but the content url does not. Therefore, assuming users aren't trying to embed pages not intended for embedding, the only time you should see the error is when the SSO login fails and the redirect never happens.
So, from a practical troubleshooting perspective, don't get distracted by the error. Instead, suit up in chain mail and figure out whether A) the page being embedded is legitimately intended for embedding and B) if it is, why is the SSO login url not redirecting to the content url? (hint: is the URL invalid in some way?)
NOTE: X-Frame-Options:sameorigin
only applies to displaying content in an iframe (as the security issue it intends to prevent is one of user interaction). It does not actually block the request or prevent the browser from honoring redirects within an iframe.
This content is subject to limited support.