Monday, 25 May 2015

APEX iFrame Security setting

At some point during APEX development you may find yourself putting an Oracle APEX page within an iFrame.
<iframe src="//myserver.com.au/ords/f?p=SAGE:1023:&SESSION."></iframe>

Just recently I did just that and came across an error I expected to see, but a little curious as to how it presented itself.

Refused to display '//myserver.com.au/ords/f?p=SAGE:1023:30559832045078' in a frame because it set 'X-Frame-Options' to 'DENY'.

Googling the last half of the message returns some interesting discussions on how this works from a web technology perspective
http://stackoverflow.com/questions/27358966/how-to-set-x-frame-options-on-iframe

The idea is that it can protect from clickjacking behaviours. APEX manipulates browser settings through an application security attribute "Embed in Frames". Allowing from same origin is deferring trust to the hosting server.


You might need to adjust this for scenarios such as

  • modal dialog plugins
  • embedding an apex page as a region within another page 
  • attempting multiple IR per page prior to APEX 5
  • APEX page embedded within a Portal

Dan McGhan explains the properties in more depth:
http://www.danielmcghan.us/2011/08/new-browser-security-attributes-in-apex.html

Current APEX 5 documentation:
http://docs.oracle.com/cd/E59726_01/doc.50/e39147/bldr_attr.htm#HTMDB29922
though I'm pretty sure the setting was introduced in 4.1.

Scott

No comments: