Hello all. Our US production instance of GoodData - which we embed via an iframe - is throwing a CSP error since approximately 12pm EET today. Here’s the error:

`Refused to frame <gooddata_domain> because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".`

We have another GoodData production instance in the EU, and that is working fine - it is not throwing this error. I’ve raised a support ticket for this as it’s critical for us - our US customers will be coming online soon.

Hi Eoghan, We are currently checking the situation. 👀 Could you please clarify what kind of embedding do you use in your application? Ideally, it is recommended to have the hostname of the parent app included in your Content Security Policy.

Thanks Julius. We embed via an iframe element:

<iframe title="Workspace analytics" class="analytics_gdc-iframe__obay0" src="<our_gooddata_domain>/appLogin?redirectTo=/dashboards/embedded/#/workspace/<workspace_id>/dashboard/<dashboard_id>?showNavigation=false"></iframe>

yes, that is correct

Understood. I’ve added a

frame-ancestors

setting to the CSP for our US prod instance, and that does seem to have fixed the issue.

Glad to hear it’s sorted out. Is there anything else we can help with?

Well to be honest this problem was a bit perplexing. I’ve only used the CSP up to now for plugins, i.e. it wasn’t necessary to set anything to get the embedding working in our application. Is there somewhere in the documentation that indicates the CSP frame-ancestors should always be set?

Hello Eoghan, Sorry for the inconvenience caused by this. This change of functionality was not intended, we will revert it. If you keep the csp directive as it is now, it won't break your solution after the revert, so I recommend to leave it there. We might want to go this way in the future, but we aim to to announce such changes in advance with proper documentation.

Hi @Boris - no worries, it was quick to resolve and we got to it before our customers noticed simple smile Thank you for the clarification as well. I’ll keep the CSP frame-ancestors in for our production instances, and add it for our non-prod - no harm.

Hi, we have the exact same error. We also use good data cloud and Iframe embedding. How can we add the frame-ancestors settings in our good data instance ? > For including the hostname of the parent, you mean in the Content Security Policy settings in our GoodData instance, right?

Hi Alexandre, Please check the bellow manual with all the necessary steps: https://www.gooddata.com/docs/cloud/manage-organization/set-up-csp-for-organization/#set-csp-directives

Thanks I've added the csp directiive and it's now working

@Eoghan Bonass @Alexandre Hermann FYI, the change of the functionality was just reverted. In any case, as was mentioned by my colleague Boris, the revert won’t affect you now and we recommend you to leave the CSP frame-ancestors set.

Thanks, A side note, it would be nice to been notified for this kind of changes. Our customers were impacted by this outage.

Definitely. That is the reason why we’ve reverted the change and next time, we will inform our customers about this change in advance. We are really sorry for the inconvenience caused.

We still have issues, when we try to add a visualization to a dashboard !

Okay, sorry for that Alexandre, removing the csp directive should fix it … that was the issue that was supposed to be fixed originally

OK I had to remove the csp directives frame-ancestors to get it working. But now I am worried, If you add this change again, it will break again. > @Eoghan Bonass @Alexandre Hermann FYI, the change of the functionality was just reverted. In any case, as was mentioned by my colleague Boris, the revert won’t affect you now and we recommend you to leave the CSP frame-ancestors set.

We will have to figure out how to fix it without such impact, if there will be any changes upcoming, they will be announced in release notes