Wednesday, 30 August 2017

Set 'X-Frame-Options' In Liferay DXP To Allow Iframe Access


You might have seen below error message in your browser console while including any of the Liferay page url in iframe.

Refused to display 'liferay-url' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

Liferay does not allow access to any of its url using iframe if the request is coming from different domain. If the domain is same you will be able to access Liferay url using iframe.

To resolve this you can either disable check by keeping below property in system-ext.properties.
(Previous to Liferay DXP this property was part of portal.properties but from DXP it has been moved in system.properties).

 #
    # Set this to true for the portal to send the "X-Frame-Options: DENY" HTTP
    # header to protect against clickjacking.
    #
    # Custom HTTP header values instead of "DENY" can be specified per URL via
    # the properties "http.header.secure.x.frame.options.*".
    #
    http.header.secure.x.frame.options=false

If you disable this property all your Liferay URL will be accessible through iframe and it cause any security issue. This is not a recommended approach to fix this issue.

As a alternative approach you can specify url you want include in iframe using below property in system-ext.properties. For each url you need to create separate property.

 #
    # If the property "http.header.secure.x.frame.options" is set to true, then
    # the portal will iterate through the properties
    # "http.header.secure.x.frame.options.*" where the wildcard "*"
    # is replaced with an int number starting from 0 and ending with 255 to find
    # a pipe (|) delimited URL and HTTP header value pair (e.g. "/|SAMEORIGIN").
    #
    # Upon finding a matched a URL, the portal will use the custom HTTP header
    # value instead of the "DENY" value.
    #
    # By default, URLs that start with "/" will use a custom HTTP header value
    # of "SAMEORIGIN". Specify another URL and HTTP header value with a number
    # smaller than 255 to intercept this default behavior.
http.header.secure.x.frame.options.1=/web/guest/home
http.header.secure.x.frame.options.4=/web/test/home
http.header.secure.x.frame.options.5=/servlet-url/servlet-content.

No comments:

Post a Comment