Don't miss out Virtual Happy Hour this Friday (April 26).

Try our conversational search powered by Generative AI!

Using an Episerver CMS Page in Ifram inside another website

Vote:
 

Hi 

I am trying to have a episerver page that contains an Epi form in a different website with different domain

Is there any way to use an Episerve Page in Ifram inside another website that has Wordpress for example?

I've tried it in an simple html file and a word press page both are getting refused to connect. however this issue it is not happeninng on the website home page but for any other subpage like contact us for example that error occured.

#245660
Edited, Dec 17, 2020 3:12
Vote:
 

Hi Vahid,

What issue you are seeing when you use this on inner pages?

#245668
Dec 17, 2020 8:13
Vote:
 

Your site can have Content-Security-Policy headers that prevent it from being iframed.

#245679
Dec 17, 2020 13:34
Vote:
 

Thanks , I am gettin refused to connect error.

I can see that the response header X-Frame-Options set as same origin. but how can I change the header to Content-Security-Policy in Episerver and does it have any risk?

#245695
Dec 17, 2020 21:51
Vote:
 

Take a look at this page for an explanation and an example of configuration at the very bottom:
https://content-security-policy.com/

I do not think this is added by default, so I suspect you will find it if you search your code solution for "Content-Security-Policy".

If you want to change the CSP-header for specific pages, you could create an IHttpModule and add the header in OnPreSendRequestHeaders.

#245716
Dec 18, 2020 4:39
Vote:
 

Vahid, see X-Frame-Options: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options#Configuring_IIS

In your web[.]config (or transformation file) see if you have something like this under system.webServer section:

<httpProtocol>
   <customHeaders>
      <!-- security audits like this -->
      <remove name="X-Powered-By" />
      <!-- add headers to improve security -->
      <add name="X-Content-Type-Options" value="nosniff" />
      <add name="X-XSS-Protection" value="1; mode=block" />
      <add name="X-Frame-Options" value="SAMEORIGIN" />
   </customHeaders>
</httpProtocol>

BUT for that your options are limited to: DENY or SAMEORIGIN.

So you should remove that setting if you have it and then use CSP to limit who/what can load the page to an iframe.

#245903
Dec 21, 2020 9:44
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.