With the IBM Cognos Analytics 11.0.4 release, if IBM Cognos content (reports, analysis studio, portal pages) is embedded in an application using an iframe, then a new feature blocks rendering.
Note: This feature/issue was removed in 11.0.5. The outbound IIS UrlRewrite defined here can be removed.
But for those who are using 11.0.4 with QueryVision’s SharePoint Web Parts for IBM Cognos or use the Cognos SDKs/URLs to embed IBM content in your web application – we have an interim solution.
Symptoms
There are two viewers in IBM Cognos Analytics 11 – the new “interactive viewer” used for the interactive enabled reports and the new “explorer” dashboard, plus the “classic viewer”, which uses URL requests – like the following example – to run or view reports:
http://w12r2ca111/ibmcognos/bi/v1/disp?b_action=cognosViewer&ui.action=run&ui.object=storeID(%27iFB15C1DD57A34052A9291A6CAA0C7CFD%27)&run.outputFormat=HTML&cv.header=false
What we discovered is that while the new “interactive viewer” – which uses new URLs and has a JSON-centric approach – works in frames without issue, but the “classic viewer would result in “This content cannot be displayed in a frame”. Two examples
- A simple HTML page with an iframe (html and the viewer URL included in the left pane)
- Embedded in iframe in SharePoint 2016 using a web part:
Doing a “view source” revealed that for 11.0.4,. the IBM Cognos “classic viewer” pages include “X-Frame-Options: SAMEORIGIN” in the page header for the IBM Cognos HTML in the iframe.
As the option/value pair suggests, the browser will refuse to render the HTML if the IBM content is in an iframe and the parent page/frame is not from the same “origin”/domain/web server. And unless you are building an application that lives within the IBM Cognos application domain, the content will be blocked.
The available X-Frame-Options include DENY, SAMEORIGIN & ALLOW-FROM <uri>, so for better security, ALLOW-FROM <uri> would seem to be an option, however:
- It only allows a single uri – and Cognos content may be used in many applications across different sites in an organization
- It is a static site configuration value (e.g. in your site’s web.config file).
The solution, as described here in Alexey Sadomov’s blog, is to apply a IIS Manager URL rewrite on outbound responses for the ibmcognos virtual directory to change the “X-Frame-Options: SAMEORIGIN” to “X-Frame-Options:” which disables the function.
The result is that the web.config file in the ibmcognos\webcontent folder will be modified to include the highlighted URL outbound re-write rule:
