iFrame settings usage from other domain
Comments
-
Hi,
The documentation around iFrames specify that the hosting site needs to be on the same domain [url=https://documentation.decisions.com/docs/decisions-platform-in-an-iframe]https://documentation.decisions.com/docs/decisions-platform-in-an-iframe[/url]. This is done by using the x-Frame-Options directive and setting it to Same-Origin.
There is a content-security-policy header ([url=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors]https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors[/url] ) that allows for domains other than the original to be specified that can load iFrames.
Is this something that could be set in the decisions website to allow other domains to embed the iFrames? Or is there some compatibility from the decisions engine that would make this impossible/not recommended.
Regards
Paul0 -
Hello Paul,
Allow-from is now a deprecated option that will no longer work on most modern browsers. As a workaround, we can change the value from using "SameOrigin" to "*" in the web.config file. This should allow cross domain hosting. As far as the Content Security Policy documentation provided, this is something that we would need to look at more on our end for implementation.
Regards,
Mike0 -
Hi Mike, thanks for the reply - using a * i assume would mean it is completely unrestricted in terms of which probably would be too risky. I would be keen to know if you could investigate the content-security-policy as I believe the frame ancestors configuration is the replacement for the deprecated allow-from setting you mentioned.
0 -
Also just to follow up on my reply, what I am looking for is if there is anything specific in decisions that we should need to know about embedding iframes. I see that the response in the following [url=https://support.decisions.com/forum/topic2606-decisions-external-forms.aspx]https://support.decisions.com/forum/topic2606-decisions-external-forms.aspx[/url] is to remove the x-frame-options completely.
Is it just a case of web configuration needing to be correct rather than anything specifically decisions related?
0 -
As there is a little more information here we would be looking at I am going to go ahead and create a support ticket for this.
0