Clickjack Protection

Tableau Server includes protection against clickjack attacks. Clickjacking is a type of attack against web pages in which the attacker tries to lure users into clicking or entering content by displaying the page to attack in a transparent layer over an unrelated page. In the context of Tableau Server, an attacker might try to use a clickjack attack to capture user credentials or to get an authenticated user to change settings on your server. For more information about clickjack attacks, see Clickjacking(Link opens in a new window) on the Open Web Application Security Project website.

Note: Clickjack protection was available in previous versions of Tableau Server, but was disabled by default. New installations of Tableau Server 9.1 and later will always have clickjack protection on unless you explicitly disable it.

Effects of clickjack protection

When clickjack protection is enabled on Tableau Server, the behaviour of pages loaded from Tableau Server changes in the following ways:

  • Tableau Server adds the X-Frame-Options: SAMEORIGIN header to certain responses from the server. In the current versions of most browsers, this header prevents the content from being loaded into an <iframe> element, which helps prevent clickjacking attacks.

  • The top-level page from Tableau Server cannot be loaded in <iframe> elements. This includes the sign-in page. One consequence is that you cannot host Tableau Server pages in an application that you create.

  • Only views can be embedded.

  • If an embedded view requires data source credentials, a message is displayed in the <iframe> element with a link to open the view in a secure window where the user can safely enter credentials. Users should always verify the address of the opened window before entering credentials.

  • Views can be loaded only if they include the :embed=y parameter in the query string, as in this example:


    Note: When clickjack protection is enabled, embedded views that use the URL copied from the browser address bar might not load. These view URLs usually contain the hash symbol (#) after the server name (for example, http://myserver/#/views/Sales/CommissionModel?:embed=y) are blocked when clickjack protection is enabled on Tableau Server.

Disabling clickjack protection

You should leave clickjack protection enabled unless it is affecting how your users work with Tableau Server. If you want to disable clickjack protection, use the following tsm commands:

  1. tsm configuration set -k wgserver.clickjack_defense.enabled -v false
  2. tsm pending-changes apply

    If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case, there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behaviour. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!