Restrict Embedding of Publisher in iframes

You can prevent embedding of Publisher in iframes.

By default, users can embed Publisher in an iframe only if the iframe and Publisher are in the same domain.

If you want to allow embedding of Publisher in an iframe belonging to another domain or you want to completely restrict embedding of Publisher in an iframe, provide appropriate values for the X_FRAME_OPTIONS and FRAME_ANCESTORS properties in the xmlp-server-config.xml file.

Note:

If you set X_FRAME_OPTIONS to Deny and FRAME_ANCESTORS to none, you can’t access the user interface of Publisher from other products that can embed Publisher, including Oracle Analytics Server. If you specify the values for both X_FRAME_OPTIONS and FRAME_ANCESTORS, the value used depends on the browser. Make sure you provide similar values to X_FRAME_OPTIONS and FRAME_ANCESTORS to ensure consistent behavior across browsers.

X_FRAME_OPTIONS Values

Value	Specifies
False	Do not set the header option.
Deny	Do not allow users to embed Publisher in iframes.
SameOrigin	Allow users to embed Publisher in iframes of the same domain. This is the default.
Allow-From url	Allow users to embed Publisher only from the domain specified in the url parameter.

FRAME_ANCESTORS Values

Value	Specifies
False	Do not set the header option.
none	Do not allow users to embed Publisher in iframes.
self	Allow users to embed Publisher in iframes of the same domain. This is the default.
url	Allow users to embed Publisher only from the domain specified in the url parameter. The URL can be repeated and can be specified in more than one format.