Explanation of the issue
- Issue: The customer’s website is blocking embedding into an iFrame due to its security settings.
- Purpose of Security Settings: These settings prevent clickjacking attacks and ensure that the site’s content is not embedded into other sites without permission.
- Solution: The customer’s web admin needs to adjust these settings to allow embedding.
Tutorial for your Web Admin
1. Identify the Blocking Mechanism-
Check ‘X-Frame-Options’: This header controls whether a browser should allow a page to be rendered in an iFrame. It can be set to
DENY,SAMEORIGIN, orALLOW-FROM. -
Check Content Security Policy (CSP): CSP can also prevent a page from being loaded in an iFrame. Look for the
frame-ancestorsdirective.
-
Allow from Specific Domain: Set the header to
ALLOW-FROM https://go.plural.ioto allow embedding on your specific domain. -
Allow from Same Origin: If both sites are on the same domain, set it to
SAMEORIGIN.
- Modify
**frame-ancestors**Directive: Add your domain to theframe-ancestorsdirective in the CSP header. For example,frame-ancestors 'self' https://go.plural.io;.
- Server Configuration: These headers are usually set in the web server configuration (e.g., Apache, Nginx) or in the application code (e.g., PHP, Node.js).
- Testing: After making changes, test by embedding the site in an iFrame on your platform.
- Security Implications: Understand that allowing a website to be embedded can have security implications. It should be done only if necessary and with understanding of the risks.
Notes for Communication between different Stakeholders
- Communicate Clearly: Make sure to explain why these changes are needed and how they will benefit both parties.
- Security Awareness: Emphasize that these changes should be made with a clear understanding of the security implications.
