New Default Setting in Tableau Server 9.1 Will Break Embedded Dashboards

If you embed your Tableau analytics dashboards through either a straight embedded i-frame or with the JavaScript API, upgrading your Tableau Server to 9.1 will cause some unexpected grief.

But it’s fixable.

After upgrading Tableau Server to 9.1, I was getting this error:

Refused to display 'https://path/to/my/tableau/dashboard?:embed=y&:showVizHome=n&:tabs=n&:to...' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

Though not mentioned in the official release notes, Tableau has changed the default setting for Clickjacking defense. In the past, this feature was left false, which allowed for unrestricted embedding of Tableau dashboards.

In 9.1, the new default setting for clickjacking defense is true. Though a good default setting for security, it completely restricts any embedding.

To fix the behavior after upgrading, simply run the tabadmin command and restart your Tableau Server: 

tabadmin set wgserver.clickjack_defense.enabled false

More Info

Click the link below to read about Clickjack protection for Tableau Server:

http://onlinehelp.tableau.com/current/server/en-us/clickjack_protection.htm

For further information on Clickjack protection and previous versions of Tableau:

http://kb.tableau.com/articles/knowledgebase/clickjacking-protection