OS app in the iframe with another origin.

I have an OS web app inside of an iframe on another website.

Is there any way to get rid of this error? I can still see the page in the iframe and it works fine, the only difference is this error. I have a dirty solution in place, but I'm looking for a better one. 

Setting content security policy is didn't help. 

Hi Roman,

You'll have to change the settings in IIS (assuming you're using IIS) of the OutSystems platform server to allow that.

Ask your IIS admin to do it, but you'll probably will have to tell him which domains should be allowed instead. 


Carlos Ribeiro da Fonseca wrote:

Hi Roman,

You'll have to change the settings in IIS (assuming you're using IIS) of the OutSystems platform server to allow that.

Ask your IIS admin to do it, but you'll probably will have to tell him which domains should be allowed instead. 


Hi Carlos, thanks for your reply. Do you know exactly which ones to change? 

Regards,

Roman


Since the OutSystems platform does a lot of the management for you, I believe you'll have to remove the X-Frame-Options: SAMEORIGIN header and replace it with Access-Control-Allow-Origin: <domain you want to allow> I'm not entirely sure where in the IIS settings -- in the OutSystems web application settings, because this is a per application setting.

In a normal ASP.NET web application you could simply change the web.config file, but that's not an option here.

Oh, and if you're using some form of cloud hosting you'll likely won't be able to do that yourself, you'll have to have your cloud provider to do that change.


Carlos Ribeiro da Fonseca wrote:

Since the OutSystems platform does a lot of the management for you, I believe you'll have to remove the X-Frame-Options: SAMEORIGIN header and replace it with Access-Control-Allow-Origin: <domain you want to allow> I'm not entirely sure where in the IIS settings -- in the OutSystems web application settings, because this is a per application setting.

In a normal ASP.NET web application you could simply change the web.config file, but that's not an option here.

Oh, and if you're using some form of cloud hosting you'll likely won't be able to do that yourself, you'll have to have your cloud provider to do that change.


>>I believe you'll have to remove the X-Frame-Options: SAMEORIGIN header and replace it with Access-Control-Allow-Origin: <domain you want to allow>

I didn't have  X-Frame-Options, but I tried adding Access-Control-Allow-Origin - didn't help. Thanks for the suggestion though. 


What configuration do you have on the content security policy on the Frame Ancestors? (Not showing on the screenshot).

Did you try * there to see if it makes a difference?


Also are both applications OS apps? Do both declare security rules? Because it can be either the app inside the iframe blocking the usage on another origin or the reverse.

João Rosado wrote:

What configuration do you have on the content security policy on the Frame Ancestors? (Not showing on the screenshot).

Did you try * there to see if it makes a difference?


Also are both applications OS apps? Do both declare security rules? Because it can be either the app inside the iframe blocking the usage on another origin or the reverse.

I tried * in each one of those fields. Didn't help. 

Both are OS apps for now.

Hi Roman,


Been asking around about this problem and have a question: are those infraestructures On Premise, on the OutSystems Cloud or a Personal Environment.


Regards,

João Rosado

João Rosado wrote:

Hi Roman,


Been asking around about this problem and have a question: are those infraestructures On Premise, on the OutSystems Cloud or a Personal Environment.


Regards,

João Rosado

It's on premise. 


I checked and the platform is at the moment not adding automatically the X-Frame-Options. Some cloud and personal environments may still have it configured on IIS since it was for a short amount of time the default for new machines on O11.


If you check the rewponse headers of your pages and you are getting the X-Frame-Options then recheck the IIS Headers configurations on both Web Site and Machine levels, one of them should be adding it.


If you don't have that header in any of your pages (the outside and inside the iframe) then see what is comming in the CSP headers for those pages, the frame ancestors option should allow it to work fine when there is no X-Frame-Options header.


Regards,

João Rosado