[kilmerlopez96]

the problem we have is that we are trying to open an Iframe inside our web app but when we are trying to load it this is the error that shows up :

{"error":"You have lost your session and you have to login again.","success":true,"lostSession":true}

Basically we are concatenating an url based on the session ID, and some other parameters to access a Dynaform like this:

http://IP/sysworkflow/en/neoclassic/cases/cases_Step?TYPE=DYNAFORM&UID=4090090356263852256eb10037961424&POSITION=1&ACTION=EDIT

And even though we can access this URL on any browser, the iframe has never worked out for us.

We have disabled the X-Frame-Options and CORS on the server so I don't think that's the issue either.

[ronrich]

Hello kilmerlopez96,

I got the iframe working with the following configuration:

Code: Select all

#add_header X-Frame-Options SAMEORIGIN;

#add_header Content-Security-Policy "frame-ancestors 'self' ";
#add_header X-Content-Security-Policy "frame-ancestors 'self' ";

On the other hand, if this seems to not be secure, then you add this one:

Code: Select all

Content-Security-Policy: frame-ancestors 'self' https://midomain.com https://*.midomain.com 

I hope this helps

[kilmerlopez96]

Hello, I did not mention it before but the environment consists of 2 different servers (WebAPP and PM server)
We already applied your line in Apache2's HTTPD.CONF file like this:

<Directory />
Header set Content-Security-Policy "frame-ancestors 'self' 'http://localhost'"
</Directory>

but then the Iframe is no longer showing (With Connection Refused error). Also, the browser console returns:

Refused to frame 'http://PMserverIP/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".