You are viewing limited content. For full access, please sign in.

Question

Question

LF Cloud Private Forms in 3rd Party iFrame

Laserfiche Cloud Forms Security Integrations
Updated February 9
asked on February 8

Hi there,

We have a Private Form (requiring authentication to submit) and want to push it into a 3rd-party browser application's iFrame.

We would expect that if there was a current LF Cloud browser session for the user, that when they launch the 3rd-party iFrame it would simply show them the Form; and if they don't have a live session that they'd be prompted for credentials and then see the Form.

But when we try to access the Form in the iFrame - we get an error. This is confirmed in this iFrame testing tool (we should be seeing either the Form if we have a current session; or a login page here):

If we make the Form public - it displays in the iFrame; however certain forms that we want to display in the iFrame must be Private. 

So it seems that Private forms simply aren't displayed in 3rd-party iFrames - is that the case?

Thanks,

Duncan

0 0

Answer

SELECTED ANSWER
replied on February 9

For security reasons, Laserfiche Cloud does not allow the login page to be embedded into arbitrary sites. Your territory manager can help you get your site on the allowed list.

2 0
replied on February 9

Thanks @████████  - will do yes

0 0

Replies

replied on February 9

I played around with this in my own environment for a while, just to see what I could see.

With a publicly available form, you just have the form that is being displayed and loaded.

With a private form, you have the form starting to load and then promptly redirecting to the login page, and then you have the login page redirecting back to the form once complete.

The iFrame has to not only be able to handle those redirects properly, but the pages themselves need to be enabled to allow inclusion within an iFrame.

I can't speak to Cloud specifically, but with my on prem environment running 11 Update 3 (11.0.2212.30987), I was able to get both a public form and a private form to display something in an iFrame.  The private form redirected to the login page.  But then the login page didn't actually work as expected to log in and rediect to the form, it was just stuck on the login page.  

If you want to test whether the Cloud form login page even allows itself to be displayed in an iFrame, you can:

  1. Load the login page in a Chrome window.
  2. Access the Inspect/DevTools window (from a right-click on the page or pressing F12).
  3. Go to the Network tab.
  4. Refresh the login page while on the Network tab, and you'll see the list of loaded items along the left of the Network tab's list.
  5. You should see the URL for the login page as one of the first items in the list (you'll probably see your actual Form's URL once or twice and then the LogIn URL listing a returnURL value back to your Form's URL).
  6. Select it and more information will be displayed to the side of it.
  7. There are more tabs there for that selection, including a tab labeled "Headers".
  8. Select that "Headers" tab.
  9. You're looking for a header option called "X-Frame-Options".
  10. It might not be there, but if it is, it might be listing an option like "DENY".
  11. If that is the case, then that would explain why it isn't working, and would mean there isn't anything you can do about it.

 

The fact that the on prem login screen did load for me, but the Cloud login screen isn't loading for you, does make me suspect that perhaps the Cloud version does have that "X-Frame-Options"="DENY" header, but I can't say for sure, since I'm not in Cloud to be able to test it.

And as I mentioned before, although the login page did load for me, it didn't actually function as expected, so this just might be a dead end.  I'm sorry.

2 0
replied on February 9

Thanks @████████ for the effort and info! Looks like you discovered exactly what Miruna mentions in her response.

Regards,

Duncan

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...