Does the Laserfiche iframe support cross-origin communication (i.e. using window.postMessage) in order to support responsive resizing of the iframe?
I believe the web client should update itself in response to its window being resized. If it doesn't, I don't think there are any messages you could send it to trigger a reflow, regardless of the origin.
It's a bit of a security risk for applications to allow themselves to be embedded in an iframe due to the possibility of clickjacking attacks (https://owasp.org/www-community/attacks/Clickjacking). Both self-hosted and Cloud solutions use the X-Frame-Options approach to block embedding of web client in an iframe. The difference is that for self-hosted solutions, the page and frame are typically on the same domain, and the embedding is assumed safe. And when they are not on the same domain, you have control to disable the prevention. In the Cloud, that is not customizable at this time. There are plans for an integrations dashboard that would give each customer the ability to specify allowed domains, but I don't know about the timeline for that.
A recent scan of our self-hosted environment showed that our Laserfiche forms has the clickjacking as a vulnerability.. Can you explain more about where we can find the controls listed above? We would like to make sure that it is configured correctly.
I'm not sure how it works in Forms, but for web client you would uncomment the line in web.config that says:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>