If you are embedding HCL Domino Leap Applications or Forms into portals and sites not hosted on the same Domino Server as Domino Leap, you might encounter issues due to the Content-Security-Policy (CSP) HTTP Response Header.
Starting with HCL Domino Leap 1.1.5, a Strict CSP policy has been introduced. By default, Domino Leap sets the CSP in the response headers to the following value:
Content-Security-Policy: frame-ancestors 'none';
This policy prevents the embedded Leap content from being displayed on websites not hosted on the same Domino Server as Leap. In the browser’s developer tools, under the network tab, you will see the following error message:
NS_ERROR_CSP_FRAME_ANCESTOR_VIOLATION
Important: Before modifying the Content-Security-Policy (CSP), consult your security team and ensure you understand the security implications. Links to detailed CSP documentation are provided at the end of this post.
Resolving the Issue #
To address this, you can set the CSP settings as described in the official HCL Domino Leap documentation. In my lab environment, where the Domino server and other websites/portals share the fictional “domain.com” domain, I added the following Domino Leap configuration setting:
Shows the HCL Domino Leap “runtimeCSP” configuration setting.
Setting Name: runtimeCSP
Setting Value: frame-ancestors 'self' https://*.domain.com
This configuration allows Domino Leap Forms to render successfully. However, be aware of the limitations of Strict CSP Settings in the official Domino Leap Documentation. For instance, the above configuration will not work for embedding forms results data and/or summary charts.
To address these limitations, I disabled the “runtimeCSP” setting and added a new Domino Web Site Rule to override the default CSP settings set by Leap:
Shows the HCL Domino Web Site Rule which overrides the CSP-settings of Leap.
Note: After configuring this Web Site rule, refresh the Domino HTTP task to activate it by running the following command:
tell http refresh
Once this Web Site Rule was active, I was able to embed Domino Leap forms and other data into websites and portals hosted on different servers within my environment.
Learn More About CSP and frame-ancestors Directive #
To gain a deeper understanding aof the Content-Security-Policy HTTP Response Header and it’s frame-ancestors directive in general, I recommend you to read the following pages:
MDN: Content-Security-Policy Overview