External Reports: "<website> refused to connect." error message

Issue Summary

In External Reports, attempt to launch an external report renders "<website> refused to connect." error message.

• All affected websites share the following parameter configuration:
  • x-frame-options: SAMEORIGIN

• Researched Mozilla's MDN site:

  SAMEORIGIN

  The page can only be displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain, although it is argued that the option is not very useful unless all ancestors are also in the same origin (...).

Steps to Reproduce

1. Set up Tableau as an External Report
2. Browse to External Reports page
3. Click the report created during step 1
4. Notice the error message

Expected Results

• External report is loaded
• PdM to confirm

Actual Results

• "<website> refused to connect." error message is displayed instead of the report.
• Found error on DevTools/Console
  

  Refused to display 'https://tableau.data.internal.atlassian.com/#/views/ShipIt/OrphanedFeatureDashboard?:iid=1' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
  

• Notice

  (...)
  x-frame-options: SAMEORIGIN
  (...)

  Request URL: https://tableau.data.internal.atlassian.com/
  Request Method: GET
  Status Code: 200 
  Remote Address: 10.125.59.159:443
  Referrer Policy: strict-origin-when-cross-origin
  accept-ranges: bytes
  cache-control: no-cache, no-store, must-revalidate
  content-encoding: gzip
  content-length: 722
  content-security-policy-report-only: connect-src * https://*.tiles.mapbox.com https://api.mapbox.com; default-src blob:; font-src * data:; frame-src * data:; img-src * data: blob:; object-src data:; report-uri /vizql/csp-report; script-src * blob:; style-src * 'unsafe-inline'
  content-type: text/html; charset=utf-8
  date: Wed, 20 Jan 2021 19:10:07 GMT
  etag: "9eb-59f22c1390fc0-gzip"
  expires: -1
  last-modified: Sat, 22 Feb 2020 04:41:43 GMT
  p3p: CP="NON"
  pragma: no-cache
  referrer-policy: no-referrer-when-downgrade
  server: Tableau
  vary: Cookie,X-Forwarded-Proto,Accept-Encoding
  x-content-type-options: nosniff
  x-frame-options: SAMEORIGIN
  x-tableau: Tableau Server
  x-ua-compatible: IE=Edge
  x-xss-protection: 1; mode=block
  :authority: tableau.data.internal.atlassian.com
  :method: GET
  :path: /
  :scheme: https
  accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  accept-encoding: gzip, deflate, br
  accept-language: en-US,en;q=0.9,pt;q=0.8,es;q=0.7,et;q=0.6
  cookie: atl_xid.xc=%7B%22value%22%3A%22309558ff-0ef8-4880-b740-497a8340aaaa%22%2C%22createdAt%22%3A%222020-12-28T18%3A04%3A48.698Z%22%2C%22type%22%3A%22xc%22%7D; seg_xid=c00bde81-6b38-4dc7-a15f-1e9908860fde; workgroup_session_id=null
  referer: https://sedemo1.jiraalign.com/
  sec-ch-ua: "Google Chrome";v="87", " Not;A Brand";v="99", "Chromium";v="87"
  sec-ch-ua-mobile: ?0
  sec-fetch-dest: iframe
  sec-fetch-mode: navigate
  sec-fetch-site: cross-site
  upgrade-insecure-requests: 1
  user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36

Workaround

Currently there is no known workaround for this behavior. A workaround will be added here when available.