Skip to Content (Press Enter)
UserImage.jpg
Agus Kukuh Setiaji
632Views
5Comments
how to allow X-Frame-Options to sameorigin ?
Question
OutSystems UI Patterns

Dear comunity,

can iframe web in outsystems to do this, because i got error like this?

and i use this in life time, but still can't do trick

thanks in advance

0
0
20 Jun 2019
Copy Link
2021-08-12 11-00-27
Nordin Ahdi
 
MVP

Hi Agus,

Have a look at this post for the correct configurations of the Content Security Policy settings in LifeTime:

https://success.outsystems.com/Documentation/10/Managing_the_Applications_Lifecycle/Secure_the_Applications/Apply_Content_Security_Policy

For the Frame-ancestors property, the only expressions allowed are 'self' or '*' (all). However, since 'self' is already the default value for this property so you don't need to fill it!

Regards,

Nordin

0
0
20 Jun 2019
Copy Link
UserImage.jpg
Agus Kukuh Setiaji

Nordin Ahdi wrote:

Hi Agus,

Have a look at this post for the correct configurations of the Content Security Policy settings in LifeTime:

https://success.outsystems.com/Documentation/10/Managing_the_Applications_Lifecycle/Secure_the_Applications/Apply_Content_Security_Policy

For the Frame-ancestors property, the only expressions allowed are 'self' or '*' (all). However, since 'self' is already the default value for this property so you don't need to fill it!

Regards,

Nordin

Hi Nordin,

thanks for reply, ok i change frame-ancestors to blank and fill itself with self gap: and republish application, it's still have error X-Frame option same-origin, and i try with * just make sure if self can't do trick, but not affail still got error, can u provide  guide to fix this?

 Thanks before

0
0
25 Jun 2019
Copy Link
2020-02-28 09-46-54
Eduardo Jauch

Hello Agus,

If you are trying to iFrame a third party web page that has the X-Frame-Options set to sameorigin than you can't. Other web sites use this exactly to prevent that their pages are used inside an iFrame for security reasons.

Cheers.

1
0
25 Jun 2019
Copy Link
UserImage.jpg
Agus Kukuh Setiaji

Eduardo Jauch wrote:

Hello Agus,

If you are trying to iFrame a third party web page that has the X-Frame-Options set to sameorigin than you can't. Other web sites use this exactly to prevent that their pages are used inside an iFrame for security reasons.

Cheers.

Hello Eduardo,

any workaround for this, something like in mobile app inappbrowser or else? i need this i frame for payment gateway, because finish redirect URL from payment gateway website don't have order id so i can't track if I do direct link open to payment gateway.

Thanks before


0
0
25 Jun 2019
Copy Link
2024-03-25 06-19-08
Harlin Setiadarma

So your payment gateway web screen has this X-Frame-Options: SAMEORIGIN?

They must also have Content-Security-Policy (CSP) defined then.

Otherwise no web can embed their payment gateway screen.


Visit this URL: https://headers.cloxy.net/
Type your payment gateway url, and tick the "I'm not a robot" (verify you're a human if needed)


Look for headers:

- content-security-policy

- x-content-security-policy

- x-webkit-csp


Look for asterisk (*) character in their CSP frame-ancestors, that indicates it allows to be embedded on any domain.


For most modern browsers (Chrome/Firefox/Edge), it will prioritize CSP over X-Frame-Options.

For Safari though, you're doomed because Safari prioritized X-Frame-Options over CSP, so you need to ask the payment gateway to remove the X-Frame-Options from their webpage.


Ref:

https://www.outsystems.com/forums/discussion/49280/how-to-remove-x-frame-options-safari-ios-embedding-problem/

https://stackoverflow.com/questions/54463608/how-to-fix-safari-ignoring-content-security-policy-when-x-frame-options-are-spec

Problem is that Safari 12 as of January 2019 still prioritizes X-Frame-Options over Content-Security-Policy.


0
0
25 Jun 2019
Copy Link
Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.