It seems the server configuration for X-Frame-Options is now set to SAMEORIGIN, but I didn't make any change to cause this.  As of a few weeks ago, I could embed within an iFrame successfully.  We are hosted in OutSystems, and it seems this change may have been made during the upgrade to v11.  I need to embed part of the OutSystems app in an iFrame, so for now this isn't possible.  Can I modify this setting somehow?


I tried using HttpRequestHeaders to add a directive, but then there are two headers and an error is created:  "Refused to display '***' in a frame because it set multiple 'X-Frame-Options' headers with conflicting values ('allow-from https://www.***.com, SAMEORIGIN'). Falling back to 'deny'."

Hi David,

Do you have content security policy turn on on Lifetime? If yes the default value of frame-ancestors is self so you will only be able to to use in a iframe on the same domain. Check this post.

Regards,

Marcelo

Hi David,

Can you please share what type of error are you getting inside of framed Outsystems? I had a similar problem myself and X-Frame-Options config didn't work for me whatsoever. 

Thanks,

Roman

Marcel, the "Enable Content Security Policy" is not checked.  

Roman, if I access the embedded content without calling it through an iFrame, it loads okay.  If I load it through the iFrame without taking any measures, the browser console reports "Refused to display 'https://zzz.outsystemscloud.com/NeverIdle_Web/EquipmentListEmbed.aspx' in a frame because it set 'X-Frame-Options' to 'sameorigin'."

Hmm.. Interesting. I get another one. And no measures in the X-Frame-Options actually helped. 

David Austin wrote:

Marcel, the "Enable Content Security Policy" is not checked.  

Roman, if I access the embedded content without calling it through an iFrame, it loads okay.  If I load it through the iFrame without taking any measures, the browser console reports "Refused to display 'https://zzz.outsystemscloud.com/NeverIdle_Web/EquipmentListEmbed.aspx' in a frame because it set 'X-Frame-Options' to 'sameorigin'."

Hi David,

You have to add the x-Directive tag "allow from" in the web config file of the project from where you are trying to access the page,(Suppose if you are having the Page name "a" which is inside the Project "x" then you have to add the X-Frame directive tag "allow from" in the web config file of project x) then you can embedded it inside the Iframe. Hope this will work for you.

Regards.

Koushik


Solution

I fixed the issue thanks to Marcelo pointing me to the Content Security Policy.  I turned it on and then entered "*" for the "Frame-ancestors" property.  Since it was the first time to turn on the CSP, I had to fine tune the other settings too because for example I load images from Cloudinary and had to allow that.  Thanks everyone for the help and suggestions.

Solution

Hi David,

For security reasons you should use the exact domains you are expecting to use your pages as iframe instead of all("*")

Regards,

Marcelo 

David Austin wrote:

I fixed the issue thanks to Marcelo pointing me to the Content Security Policy.  I turned it on and then entered "*" for the "Frame-ancestors" property.  Since it was the first time to turn on the CSP, I had to fine tune the other settings too because for example I load images from Cloudinary and had to allow that.  Thanks everyone for the help and suggestions.

Hi, David

can u screenshoot settings with frame-ancestors? 

because I got this error

i already use self or * and republish application but the error still same.

Thanks before.