You are viewing limited content. For full access, please sign in.

Question

Question

Getting an X-Frame-Options error when trying to launch a Form from Web Client using Custom Tabs and SAML Authentication

Web Client Forms
Updated August 12, 2024
asked on August 9, 2024

I'm trying to start a Forms process via a custom Tab in Web Client, using SAML to authenticate. I'm having a few issues I'd like assistance with.

1) The client is already SAML authenticated to Web Client, but the embedded iFrame tab is going to LFDSTS asking for authentication again. I have verified that I can get to Forms normally without authenticating again, it's only asking in the embedded for another authorization.

2) I can successfully click SAML, and then I get a refused to connect error. Looking in the console, I see it was refused to display in a frame because it set 'X-Frame-Options' to 'sameorigin'

I believe the X-Frame-Options is a setting inside of FormsConfig. What would I need to change this to in order to get this working?

0 0

Answer

SELECTED ANSWER
replied on August 12, 2024 Show version history

X-Frame-Options - HTTP | MDN (mozilla.org)

The X-Frame-Options header only has two valid values: SAMEORIGIN and DENY. You don't want either of those, so disable this header from the Security tab.

There is a different HTTP security header called Content-Security-Policy (CSP) with a "frame-ancestors" directive that is used to allow embedding in specific sites in modern browsers.

Content-Security-Policy - HTTP | MDN (mozilla.org)

CSP: frame-ancestors - HTTP | MDN (mozilla.org)

To update it, go to the /FormsConfig Advanced Options, find the Content-Security-Policy header field, and append this frame-ancestors directive value to the existing value, replacing the "www.example.org" with the hostname of the Web Client site:

; frame-ancestors 'self' https://www.example.org;

Don't forget the closing semi-colon at the beginning if one isn't already present. That's necessary to mark the end of the previous directive.

Re:

the link you provided mentions changing the value directly in the Forms DB, but I see there is a setting in the /FormsConfig web interface under advanced options. 

Thanks for bringing that to our attention. That documentation page pre-dates the introduction of the FormsConfig Advanced Option tab and it looks like the instructions weren't updated to reflect the new easier way of modifying the header values. I've submitted a documentation update request to fix that.

0 0

Replies

replied on August 12, 2024

Hi Michael,

Yes, Forms has a configuration setting for this, you can disable it and see if it helps. The introduction for the options can be found here https://doc.laserfiche.com/laserfiche.documentation/11/administration/en-us/Default.htm#../Subsystems/Forms/Content/Administration/configuring-security-options.htm

0 0
replied on August 12, 2024

the link you provided mentions changing the value directly in the Forms DB, but I see there is a setting in the /FormsConfig web interface under advanced options. 

I assume I can change it there? And if I do change it, what should I change the setting to? The link doesn't discuss that. In the web configuration, it's set to SAMEORIGIN

And if the only way to get this set correctly is to disable in the Forms DB, what value do I set it to?

Thanks

0 0
SELECTED ANSWER
replied on August 12, 2024 Show version history

X-Frame-Options - HTTP | MDN (mozilla.org)

The X-Frame-Options header only has two valid values: SAMEORIGIN and DENY. You don't want either of those, so disable this header from the Security tab.

There is a different HTTP security header called Content-Security-Policy (CSP) with a "frame-ancestors" directive that is used to allow embedding in specific sites in modern browsers.

Content-Security-Policy - HTTP | MDN (mozilla.org)

CSP: frame-ancestors - HTTP | MDN (mozilla.org)

To update it, go to the /FormsConfig Advanced Options, find the Content-Security-Policy header field, and append this frame-ancestors directive value to the existing value, replacing the "www.example.org" with the hostname of the Web Client site:

; frame-ancestors 'self' https://www.example.org;

Don't forget the closing semi-colon at the beginning if one isn't already present. That's necessary to mark the end of the previous directive.

Re:

the link you provided mentions changing the value directly in the Forms DB, but I see there is a setting in the /FormsConfig web interface under advanced options. 

Thanks for bringing that to our attention. That documentation page pre-dates the introduction of the FormsConfig Advanced Option tab and it looks like the instructions weren't updated to reflect the new easier way of modifying the header values. I've submitted a documentation update request to fix that.

0 0
replied on August 13, 2024

Thanks Sam. So I replace the example URL with the site that I'm having issues reaching within the iframe? Or am I supposed to enter in the Web Client URL, https://server/laserfiche?

You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...