Shop

Your Notifications (0)

There are currently no notifications. You're all set!

Demos Trials
Knowledge Base
ChemDraw and ChemOffice+ Products Signals Notebook E-Notebook and ChemBioOffice Enterprise Spotfire and Signals Spotfire Products Columbus Signals Image Artist
Downloads
Downloads
Community
Support Forums Ideas Portal Product Basics
About Support
Legal Resources Support and Maintenance Plans Product Life Cycle Support News
Contact Support

Does setting "X-Frame-Options" to SAMEORIGIN on Spotfire Server have any impact on web pages that use Spotfire Javascript API or embedded analysis iframe?

Kisiel, Pawel
  • Updated

Keywords:

Spotfire Server, X-Frame-Options, SAMEORIGIN, clickjacking

Answer:

With configuration properties "security.x-frame-options.enabled" set to "true" and "security.x-frame-options.directive" set to "SAMEORIGIN", Spotfire pages can only be displayed if all ancestor frames are from the same origin (same domain). Spotfire Javascript API and embedded iframe pages will work as expected as long as same domain requirement has been met.

Additional details:

Spotfire Server environment can be protected against Clickjacking security vulnerability by setting optional configuration property "security.x-frame-options.enabled" to "true". This adds "X-Frame-Options" HTTP header in Spotfire responses to prevent this vulnerability, as described in this article:

https://support.tibco.com/s/article/How-to-protect-TIBCO-Spotfire-Server-against-Clickjacking-security-vulnerability

Related articles