Questions and discussion about developing processes and programming in PHP, JavaScript, web services & REST API.
Forum rules: Please search to see if a question has already asked before creating a new topic. Please don't post the same question in multiple forums.
By kilmerlopez96
the problem we have is that we are trying to open an Iframe inside our web app but when we are trying to load it this is the error that shows up :

{"error":"You have lost your session and you have to login again.","success":true,"lostSession":true}

Basically we are concatenating an url based on the session ID, and some other parameters to access a Dynaform like this:


And even though we can access this URL on any browser, the iframe has never worked out for us.

We have disabled the X-Frame-Options and CORS on the server so I don't think that's the issue either.
User avatar
By ronrich
Hello kilmerlopez96,

I got the iframe working with the following configuration:
Code: Select all
#add_header X-Frame-Options SAMEORIGIN;

#add_header Content-Security-Policy "frame-ancestors 'self' ";
#add_header X-Content-Security-Policy "frame-ancestors 'self' ";
On the other hand, if this seems to not be secure, then you add this one:
Code: Select all
Content-Security-Policy: frame-ancestors 'self' https://* 
I hope this helps
By kilmerlopez96
Hello, I did not mention it before but the environment consists of 2 different servers (WebAPP and PM server)
We already applied your line in Apache2's HTTPD.CONF file like this:

<Directory />
Header set Content-Security-Policy "frame-ancestors 'self' 'http://localhost'"

but then the Iframe is no longer showing (With Connection Refused error). Also, the browser console returns:

Refused to frame 'http://PMserverIP/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

Apart from the specifics offered here, I would als[…]

In recent years, online gambling games have provid[…]

If you want to import OST files into Outlook then […]

Site officiel:-[…]