External Content: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
External Content component shows content from another webpage in the dashboards. For example Microsoft Sharepoint or other content management systems can be integrated into QPR ProcessAnalyzer. The External Content component uses the HTML ''iframe'' element to embed the website. | External Content component shows content from another webpage in the dashboards. For example Microsoft Sharepoint or other content management systems can be integrated into QPR ProcessAnalyzer. The External Content component uses the HTML ''iframe'' element to embed the website. | ||
== External Content URL == | == External Content URL == | ||
| Line 10: | Line 8: | ||
'''<nowiki>http(s)://SERVERNAME/ExternalPresentationObjects/ExternalPresentationObject1#variable1=<#variable1>&variable2=<#variable2></nowiki>''' | '''<nowiki>http(s)://SERVERNAME/ExternalPresentationObjects/ExternalPresentationObject1#variable1=<#variable1>&variable2=<#variable2></nowiki>''' | ||
== Content-Security-Policy restrictions== | |||
By default, only websites from the same origin than the QPR ProcessAnalyzer server can be embedded. This is restricted by the Content security policy (CSP) HTTP header ''child-src'' and ''frame-src'' directives. | |||
Example to allow to embed the google.com website to QPR ProcessAnalyzer: | |||
<pre> | |||
default-src 'none';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;connect-src 'self';font-src 'self' data:;manifest-src 'self';child-src 'self' https://google.com/;frame-src 'self' https://google.com/;object-src 'none';frame-ancestors 'self'; form-action 'none';base-uri 'none';worker-src blob:; | |||
</pre> | |||
More information how to change the CSP setting in [[QPR_ProcessAnalyzer_Security_Hardening#HTTP_Response_Headers|Security Hardening]]. | |||
== Web Browser Security Considerations == | == Web Browser Security Considerations == | ||
Some websites prevent themselves to be embedded into other websites using iframe. In those cases, the component will be left blank (in Chrome and Firefox) or there may be an error message "This content cannot be displayed in a frame". The way to workaround the issue is to have '''X-Frame-Options''' HTTP response header changed in the embedded website (more information: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options). | Some websites prevent themselves to be embedded into other websites using iframe. In those cases, the component will be left blank (in Chrome and Firefox) or there may be an error message "This content cannot be displayed in a frame". The way to workaround the issue is to have '''X-Frame-Options''' HTTP response header changed in the embedded website (more information: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options). | ||
Revision as of 14:57, 24 March 2026
External Content component shows content from another webpage in the dashboards. For example Microsoft Sharepoint or other content management systems can be integrated into QPR ProcessAnalyzer. The External Content component uses the HTML iframe element to embed the website.
External Content URL
External content URL defines the URL of the external page you want to embed. You can also use a relative path (e.g. "/examples/test.html"), if the page you want to embed is accessible by the same protocol, host, and port.
Passing Variables in Url
You can pass context variable values in the iframe url using the variable tags. Example:
http(s)://SERVERNAME/ExternalPresentationObjects/ExternalPresentationObject1#variable1=<#variable1>&variable2=<#variable2>
Content-Security-Policy restrictions
By default, only websites from the same origin than the QPR ProcessAnalyzer server can be embedded. This is restricted by the Content security policy (CSP) HTTP header child-src and frame-src directives.
Example to allow to embed the google.com website to QPR ProcessAnalyzer:
default-src 'none';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;connect-src 'self';font-src 'self' data:;manifest-src 'self';child-src 'self' https://google.com/;frame-src 'self' https://google.com/;object-src 'none';frame-ancestors 'self'; form-action 'none';base-uri 'none';worker-src blob:;
More information how to change the CSP setting in Security Hardening.
Web Browser Security Considerations
Some websites prevent themselves to be embedded into other websites using iframe. In those cases, the component will be left blank (in Chrome and Firefox) or there may be an error message "This content cannot be displayed in a frame". The way to workaround the issue is to have X-Frame-Options HTTP response header changed in the embedded website (more information: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).