How to configure the NICE DCV Web Client to work in iFrames

NICE DCV offers native DCV clients for Windows, Linux and MacOS for best performance but also the convenient HTML5 browser-based NICE DCV client.

For strongest security the DCV web client by default does not allow to be embedded inside an iFrame to avoid “clickjacking” attacks. There are scenarios where you have a controlled environment and want to embed the DCV remote desktop client into another website. This guide shows how this is possible configuring respective HTTP headers.

To configure the NICE DCV server on Windows to allow embedding as iFrame the following HTTP headers are configured in the Windows registry.

In HKEY_USERS\S-1-5-18\Software\GSettings\com\nicesoftware\dcv\connectivity we set 2 Strings (SZ) in case we want to show the iFrame as part of a page on e.g. www.ni-sp.com as follows (usually you can skip the “web-x-frame-options” entry as it has become obsolete, please replace with your domain name):

web-x-frame-options ALLOW-FROM https://www.ni-sp.com
web-extra-http-headers  [("Content-Security-Policy", "frame-ancestors https://*.ni-sp.com https://ni-sp.com")] 

If you prefer Powershell you can set the “web-extra-http-headers” option with the following Powershell command (please replace with your domain):

New-ItemProperty -Path "Microsoft.PowerShell.Core\Registry::\HKEY_USERS\S-1-5-18\Software\GSettings\com\nicesoftware\dcv\connectivity\web-extra-http-headers" -Name parameter_name -PropertyType String -Value "[('Content-Security-Policy', 'frame-ancestors https://*.ni-sp.com https://ni-sp.com')]" -Force

In case of DCV on Linux you can set the HTTP headers in the dcv.conf file – here an example:

[connectivity]
web-x-frame-options="ALLOW-FROM https://ni-sp.com"
web-extra-http-headers=[("Content-Security-Policy", "frame-ancestors https://*.ni-sp.com https://ni-sp.com")]

If you want to allow any https connection you can use “frame-ancestors https:“.

More about clickjacking:
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Defending_with_X-Frame-Options_Response_Headers and https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Preventing_Clickjacking

Any questions please feel free to contact us.