Problem including checkmk into external iFrame

CMK version: 2.0.0b5
OS version: Docker (checkmk/check-mk-raw:2.0.0-latest)

Explaination:

A small html website running on a raspberry pi has multiple iFrames showing different things (e.g. grafana dashboards, ticket-system, and so on). Now we’re trying to include a checkmk dashboard.

We created this url:
https://checkmk.our-domain.de/cmk/check_mk/login.py?_username=raspberry&_password=xxxx&_login=1&_origtarget=/cmk/check_mk/dashboard.py%3Fname=networkapswitche
“networkapswitche” is the name of the dashboard we created.

(And by the way, the documentation misleading here. You can’t have the ? character twice inside a url, so each further ? character must be escaped as %3F) the example in documentation is wrong

Error message: (Chrome Console)
Unsafe attempt to initiate navigation for frame with origin 'https://raspberry.our-domain.de' from frame with URL 'https://checkmk.our-domain.de/cmk/check_mk/login.py?_origtarget=dashboard.py%3Fname%3Dnetworkapswitche'. The frame attempting navigation is targeting its top-level window, but is neither same-origin with its target nor has it received a user gesture. See https://www.chromestatus.com/feature/5851021045661696.

The problem is the part attempt to initiate navigation and navigation is targeting its top-level window. This is also called framebusting when an embedded site is trying to redirect the top-level window to another URL.

Conclusion:
It’s not a problem which can be solved with a Content-Security-Policy header or anything else, because even if the browser allows the checkmk initiated top-level navigation, it will burst our iFrame so that all other iFrames on the Raspberry html site are lost.

How is the login-redirect done? Can it be changed, so that it wouldn’t burst the iFrame? How do you include a checkmk inside a iFrame?

Hi basti,
I’m trying to figure out the exact same issue at the moment. Were you able to find a solution for this yet?

Many thanks in advance!

No, unfortunately not. All I have found on the net is that it should supposedly just work. But this is not so!

Hi, any updates on this? maybe someone find a workaround/fix?

Please note that this will not be “fixed” for security reasons, and we strongly encourage to not tinker around with HTTP headers on system Apache level.

Maybe configuring the Grafana connector and displaying the Checkmk data in a public Grafana dashboard will do the job for you?

Can you please clarify your point? this means it is not possible to add checkmk as iframe to another web page?

Maybe configuring the Grafana connector and displaying the Checkmk data in a public Grafana dashboard will do the job for you?

We have this in mind but wanted to test checkmk integration first

@mschlenker what can you say about “current window does not have permission to navigate” error? it is also in the scope of “Please note that this will not be “fixed” for security reasons, and we strongly encourage to not tinker around with HTTP headers on system Apache level” ?

It’s very sadly that checkmk cannot be opened in a iFrame this way. Even there is a grafana connector (or something else) it would add a much complexity on top.

We just want to display a checkmk dashboard in an iFrame. So implement something where we could make a dashboard public accessible, add some kind of api key to authenticate to a dashboard or implement another login-redirection for the origintarget.

I can understand your wishes like for including a Checkmk dashboard in some kind of signage app cycling through different status or info pages.

@a.ahmadzadeh , yes that is all closely related. You can tinker with Apache headers on your own risk, but we neither endorse you to do so, nor provide support.

@basti With the finer granulation on permissions during the last years, view-only dashboards for view-only users isn’t even out of the world, just someone has to implement it. And Checkmk GmbH somehow has to prioritize.

You might create a user suggestion at https://features.checkmk.com/ to find out, how many users would like to have such a feature?

@mschlenker the (core) developers of checkmk should realize themself that this feature should be included in a monitoring software. The purpose of displaying a dashboard view-only somewhere on a external monitor is far away from exotic.

We have lots of customers with nice “war room” setups that use “monitoring only users” and are just used for viewing. But they do not use iframes. And currently those monitoring users can make changes to dashboards.

A perfectly embeddable dashboard would mean creating first the possibility to mark dashboards available for iframe embedding and either adding a restricted user role for viewing only or add “allow public viewing”. Does not look like an immense effort, but it is not my prioritizing work of developers. So please use https://features.checkmk.com/ and let’s find out, how many users what appreciate such a feature.