Zum Hauptinhalt springen

Explanation of the issue

  • Issue: The customer’s website is blocking embedding into an iFrame due to its security settings.
  • Purpose of Security Settings: These settings prevent clickjacking attacks and ensure that the site’s content is not embedded into other sites without permission.
  • Solution: The customer’s web admin needs to adjust these settings to allow embedding.

Tutorial for your Web Admin

1. Identify the Blocking Mechanism
  • Check ‘X-Frame-Options’: This header controls whether a browser should allow a page to be rendered in an iFrame. It can be set to DENY, SAMEORIGIN, or ALLOW-FROM.
  • Check Content Security Policy (CSP): CSP can also prevent a page from being loaded in an iFrame. Look for the frame-ancestors directive.
2. Modifying ‘X-Frame-Options’
  • Allow from Specific Domain: Set the header to ALLOW-FROM https://go.plural.io to allow embedding on your specific domain.
  • Allow from Same Origin: If both sites are on the same domain, set it to SAMEORIGIN.
3. Adjusting Content Security Policy
  • Modify **frame-ancestors** Directive: Add your domain to the frame-ancestors directive in the CSP header. For example, frame-ancestors 'self' https://go.plural.io;.
4. Implementing the Changes
  • Server Configuration: These headers are usually set in the web server configuration (e.g., Apache, Nginx) or in the application code (e.g., PHP, Node.js).
  • Testing: After making changes, test by embedding the site in an iFrame on your platform.
5. Caution
  • Security Implications: Understand that allowing a website to be embedded can have security implications. It should be done only if necessary and with understanding of the risks.

Notes for Communication between different Stakeholders

  • Communicate Clearly: Make sure to explain why these changes are needed and how they will benefit both parties.
  • Security Awareness: Emphasize that these changes should be made with a clear understanding of the security implications.