Embedding Metric Insights content in sites that have a different domain

Metric Insights by default only allows embedding in sites that are on the same domain. For example, if Metric Insights is on domainA.com then MI content can be embedded in other sites if those are are on the same domainA.com domain. 

However, if MI content must be embedded in a site that is on a different domain, e.g. domainB.com, Metric Insights will reject that embed request. 

Here, we show you how to update Metric Insights to allow embedding in sites that have a different domain.

x-frame-options: "SAMEORIGIN"

Metric Insights uses Apache for the web server. To ensure embedding is only allowed on sites that are on the same domain, we set the following for Apache by default:

Header set x-frame-options: "SAMEORIGIN"

Disable x-frame-options: "SAMEORIGIN"

To disable this x-frame-options setting, please follow these steps (applies to all deployment types, from Simple Installs to Orchestrated):

  1.  Enter the Web Container
    • For Simple Installs, on the server host, run sudo mi-console to enter
    • For Kubernetes, run kubectl exec -it <web-master-pod-name> bash
    • For OpenShift, run oc exec-it <web-master-pod-name>  bash
    • For Docker Swarm, run docker exec -it <web-master-container-name> bash
  2.  Open metricinsights-custom.conf in an editor by running vim /etc/apache2/mi.conf.external.d/metricinsights-custom.conf
  3. Enter the following to disable the x-frame-options: "SAMEORIGIN" setting then save and exit:
Header unset X-Frame-Options
Header append Content-Security-Policy "frame-ancestors 'self' <required domain name, where MI content will be embedded>;"

Pay particular attention to <required domain name, where MI content will be embedded>. This is where you specify domainB.com for example (the site where MI content will be embedded):

Header unset X-Frame-Options
Header append Content-Security-Policy "frame-ancestors 'self' domainB.com;