Since 2.9: Iframes in external links

After the upgrade to version 2.9 external links are opened in IFrames:

We often put links to our ticketsystem into the comments of downtimes or acknowlegements, but our ticketsystem forbids loading of pages in an IFframe.

Is there a way to disable this and to load a new window or tab again?

The link processing in comments did indeed change with v2.9, but it’s still the same processing that’s done for navigation items and action urls as well. So these should have been opened in iFrames previously as well. Is that the case?

Icinga Web 2 only enforces iFrames when it detects an external link. A link is considered external if the HTTP scheme, hostname or port differs from the current request.

Your link does not match this and hence shouldn’t be detected as external.

We access the server’s name using the $_SERVER['SERVER_NAME'] PHP superglobal. You should ensure that this reflects the actual host’s name. Check your web server configuration for this.

Our monitoring host is, the ticket system If I understand you right, this qualifies as an external link in comments since 2.9?
Can I change this behavior through configuration?

The link in the original post is the link, that icingaweb2 generates from the pasted link (

No. It’s in both cases, so it’s not an external resource. It should not be detected as external link, but it is for some reason. Hence why I suggested to check the web server’s configuration.

I checked the webserver, ServerName and UseCanonicalName (apache) are set.

A short check with a php echo .$_SERVER['SERVER_NAME'] command shows the right server name on the site. Links to are still loaded into IFrames.

Ohh, it’s Of course it is… well, sub-domains are not considered. That’s why it’s detected as external. Though, I’d need to check whether it’s safe to remove any sub-domain prior to the check before I could promise anything in that regard.

Glad we found it. I don’t think it would be wise to treat all sub domains as internal. Maybe this should be something in configuration (like a list of domains, which is treated as internal).

Could you describe, why external links are loaded in IFrames? A lot of sites don’t allow this to prevent clickjacking.

It’s just the default. It can be configured for custom navigation items. Typically we just do that for convenience, as this way the user still sees the host/service/list/whatever in the left column while interacting with the ticketing system/wiki entry/whatever on the right. It just prevents the need to switch tabs.

But I’m not against changing the default. I personally added proxy_hide_header X-Frame-Options; to my local nginx dev env in order to allow grafana graphs in an iFrame :sweat_smile:. So, if you don’t mind, please open an issue and ask for changing the default target for urls in comments.

As reference: github issue

1 Like