Monday 25 May 2015

APEX iFrame Security setting

At some point during APEX development you may find yourself putting an Oracle APEX page within an iFrame.
<iframe src="//myserver.com.au/ords/f?p=SAGE:1023:&SESSION."></iframe>

Just recently I did just that and came across an error I expected to see, but a little curious as to how it presented itself.

Refused to display '//myserver.com.au/ords/f?p=SAGE:1023:30559832045078' in a frame because it set 'X-Frame-Options' to 'DENY'.

Googling the last half of the message returns some interesting discussions on how this works from a web technology perspective
http://stackoverflow.com/questions/27358966/how-to-set-x-frame-options-on-iframe

The idea is that it can protect from clickjacking behaviours. APEX manipulates browser settings through an application security attribute "Embed in Frames". Allowing from same origin is deferring trust to the hosting server.


You might need to adjust this for scenarios such as

  • modal dialog plugins
  • embedding an apex page as a region within another page 
  • attempting multiple IR per page prior to APEX 5
  • APEX page embedded within a Portal

Dan McGhan explains the properties in more depth:
http://www.danielmcghan.us/2011/08/new-browser-security-attributes-in-apex.html

Current APEX 5 documentation:
http://docs.oracle.com/cd/E59726_01/doc.50/e39147/bldr_attr.htm#HTMDB29922
though I'm pretty sure the setting was introduced in 4.1.

Scott

3 comments:

Anonymous said...

Thank you!!!

It worked for me :)

Miguel Rosemberg said...

Is it any solution working with ORDS ? My Apex does not have the option, it just have a "box" for HTTP Response for writing code.

Scott Wesley said...

I'm not sure, I haven't looked at this for a while. What version APEX/ORDS are you on?