Add a trusted site to allow iFrame

The default settings do not allow external sites to iframe internal MashZone NextGen assets such as dashboards, apps, etc. Specifically, "X-Frame-Options: SAMEORIGIN" and "Content-Security-Policy: frame-ancestors 'self'" are set, which instructs the browser to disallow rendering MashZone NextGen content in any external iFrame. Via configuration and re-start, we can relax this restriction.

Procedure

  1. Open the web.xml file in a text editor. The file is located in <MashZone NextGen installation>/MashZoneNG/apache-tomcat/webapps/[presto|mashzone]/WEB-INF/.
  2. Find the <filter> entry of the HTTP Header Security Filter and uncomment the antiClickJackingUris parameter.
  3. Replace the sample URI ' http://some-server' with the URI of the website allowed to iframe MashZone NextGen content.
  4. Find the <filter> entry for Content-Security-Policy. Insert the URI of the website allowed to iframe MashZone NextGen content into the policy parameter, between frame-ancestors and 'self'

    Example: <init-param> <param-name>policy</param-name> <param-value>frame-ancestors http://*.eur.ad.sag:* 'self'</param-value> </init-param>