Dear comunity,

can iframe web in outsystems to do this, because i got error like this?

and i use this in life time, but still can't do trick

thanks in advance

Hi Agus,

Have a look at this post for the correct configurations of the Content Security Policy settings in LifeTime:

https://success.outsystems.com/Documentation/10/Managing_the_Applications_Lifecycle/Secure_the_Applications/Apply_Content_Security_Policy

For the Frame-ancestors property, the only expressions allowed are 'self' or '*' (all). However, since 'self' is already the default value for this property so you don't need to fill it!

Regards,

Nordin

Nordin Ahdi wrote:

Hi Agus,

Have a look at this post for the correct configurations of the Content Security Policy settings in LifeTime:

https://success.outsystems.com/Documentation/10/Managing_the_Applications_Lifecycle/Secure_the_Applications/Apply_Content_Security_Policy

For the Frame-ancestors property, the only expressions allowed are 'self' or '*' (all). However, since 'self' is already the default value for this property so you don't need to fill it!

Regards,

Nordin

Hi Nordin,

thanks for reply, ok i change frame-ancestors to blank and fill itself with self gap: and republish application, it's still have error X-Frame option same-origin, and i try with * just make sure if self can't do trick, but not affail still got error, can u provide  guide to fix this?

 Thanks before

Hello Agus,

If you are trying to iFrame a third party web page that has the X-Frame-Options set to sameorigin than you can't. Other web sites use this exactly to prevent that their pages are used inside an iFrame for security reasons.

Cheers.

Eduardo Jauch wrote:

Hello Agus,

If you are trying to iFrame a third party web page that has the X-Frame-Options set to sameorigin than you can't. Other web sites use this exactly to prevent that their pages are used inside an iFrame for security reasons.

Cheers.

Hello Eduardo,

any workaround for this, something like in mobile app inappbrowser or else? i need this i frame for payment gateway, because finish redirect URL from payment gateway website don't have order id so i can't track if I do direct link open to payment gateway.

Thanks before


So your payment gateway web screen has this X-Frame-Options: SAMEORIGIN?

They must also have Content-Security-Policy (CSP) defined then.

Otherwise no web can embed their payment gateway screen.


Visit this URL: https://headers.cloxy.net/
Type your payment gateway url, and tick the "I'm not a robot" (verify you're a human if needed)


Look for headers:

- content-security-policy

- x-content-security-policy

- x-webkit-csp


Look for asterisk (*) character in their CSP frame-ancestors, that indicates it allows to be embedded on any domain.


For most modern browsers (Chrome/Firefox/Edge), it will prioritize CSP over X-Frame-Options.

For Safari though, you're doomed because Safari prioritized X-Frame-Options over CSP, so you need to ask the payment gateway to remove the X-Frame-Options from their webpage.


Ref:

https://www.outsystems.com/forums/discussion/49280/how-to-remove-x-frame-options-safari-ios-embedding-problem/

https://stackoverflow.com/questions/54463608/how-to-fix-safari-ignoring-content-security-policy-when-x-frame-options-are-spec

Problem is that Safari 12 as of January 2019 still prioritizes X-Frame-Options over Content-Security-Policy.