We are trying to display a web page in Clarity PPM Blueprint Channel Modules but getting "Load denied by X-Frame-Options" security error. Load denied by X-Frame-Options: https://<website.xyz.com> does not permit cross-origin framing. Header Details: Request URL: https://<website.xyz.com> Request method: Get X-Frame-Option: SAME ORIGIN
Excerpt of another error message you may see:
Refused to display 'https://<website.xyz.com' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Environment
Release: Component: ODSEC
Resolution
The issue is not with Clarity but a restriction on the SSO application. The application needs to have a whitelist (CORS) capability to trust Clarity.
This happens due to the external applications security policy and Clarity PPM can not overwrite the security policy of another application. Applications have built in security and can't control that. Clarity PPM can do certain things to get the content to display.
For example: If you want to display external applications within PPM, PPM will trust that application and it will display provided that HTTP and HTTPS matches. So if you have a HTTPS PPM server and trying to render HTTP site which is not secured, that's a security violation which will prevent it from displaying.
We can also tell PPM to whitelist certain domains and we do that automatically soon as user populates URL value (may have to refresh or navigate away to read the updated whitelist domains).