Matlab app with matlab-proxy and CSP frame-ancestors

Hi OOD Community,

In case you are interested in using the excellent matlab-proxy package for your Matlab OOD app, I have a quick tip for you. I am not a web-developer, so please excuse my poor explanations below.

There has been a OOD portal configuration (ood_portal.yml) variable called security_csp_frame_ancestors since at least OOD version 1.8. As explained here, this Content-Security-Policy (CSP) directive specifies what sources can embed content via frames or iframes in a given page. Be default, the security_csp_frame_ancestors variable is set to the hostname of the OOD host.

Well, it turns out that the matlab-proxy embeds the Matlab interface within a frame. If you use any other domain other than the OOD host (for instance, an alias like login.cluster.school.edu), the frame content is being delivered to another domain that is not permitted by the CSP rules, and the default behavior is for the browser to block the content entirely.

To fix this, you can set the value of security_csp_frame_ancestors to include both the OOD server and your alternate domains like this:

security_csp_frame_ancestors: "https://ondemand.school.edu https://login.cluster.school.edu"
# or for multiple subdomains
security_csp_frame_ancestors: "https://ondemand.school.edu https://*.cluster.school.edu"

Generate the portal again, restart HTTPD and your Matlab app should work great.

2 Likes

Interesting. I have not had to do that for it when running OOD 3.0.1.

I definitely want to second though that the matlab-proxy is a huge improvement over having to run it in a virtual desktop.

Morgan, your comment made me go back and look at my notes and I have updated my post above (corrections in bold) to try and better explain the issue and solution.

It works fine if you are logging in to a domain that matches the OOD server name – the problem only occurs when using alternate domains/aliases.

1 Like

Gotcha! Good to know!