search cancel

An External Site Is Not Displayed as an iframe in an HTML Portlet

book

Article ID: 203445

calendar_today

Updated On:

Products

Clarity PPM On Premise Clarity PPM SaaS

Issue/Introduction

After creating an HTML Portlet with the following code,

<iframe src="some URL"></iframe>

the portlet does not display the site in the URL, or shows an error icon (depends on browser).

Inspecting the console output from the Developer Tools Console, a message like this is displayed:

Refused to display 'some URL' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

Environment

Any Clarity release.

Cause

'X-Frame-Options' HTTP Response Header is set to 'SAMEORIGIN'.

This server configuration sets that the page can only be displayed in a frame on the same origin as the page itself, so unless the page is in the same site, it will not be displayed.

Similar results will be experienced if it is set to DENY, but this time, it will not be displayed in a frame regardless of the site trying to do so.

ALLOW-ORIGIN needs to specify the hostname for each URL on website level and this would not be a viable solution in most cases due to security. 

These behaviors are browser-specific and might vary depending on the version as well - some browsers will also block the page if 'X-Frame-Options' or alternative equivalent configuration is not found.

 

Resolution

Unless configuration is changed from the destination server, this URL cannot be displayed in a frame inside Clarity. Changing this configuration could lead to some security issues or vulnerabilities so it must be reviewed carefully.

Instead of HTML page please use "Favorite Links" (Classic UI), or Links in Modern UX, and the redirection will always work safely and reliably.

Additional Information

X-Frame-Options - HTTP | MDN