1 2 Previous Next 15 Replies Latest reply on Dec 8, 2015 4:40 AM by ramon

    FileMaker Server 13v5 breaks embedded WebDirect

    nickorr

      Summary

      FileMaker Server 13v5 breaks embedded WebDirect

      Product

      FileMaker Server

      Version

      13v5

      Operating system version

      Windows 2008 64bit

      Description of the issue

      The update to v5 has extra security around embedding WebDirect in iframes on other servers.  Which is a good thing, but there is no way that works to override the allowed servers.  IIS normally allows you to add your own X-Frame-Options header via the IIS  settings, but it appears that there's no way to remove the existing one that FMS is setting.

      I tried overriding the deprecated X-Frame-Options header by adding an additional Content-Security-Policy header (which is a new standard), but no luck.

      Even though the spec says that browsers should ignore X-Frame-Options if Content-Security-Policy exists:
      https://w3c.github.io/webappsec/specs/content-security-policy/#directive-frame-ancestors

      And I am testing with firefox, which should have support for this:
      http://caniuse.com/contentsecuritypolicy

      So what previously either worked, or had the ability to be specifically set for any security issues, now has a setting we can't adjust and causes a failure we didn't use to have.

      Steps to reproduce the problem

      Generate any WebDirect page, and embed it in a iframe in another web page.  Load that in a browser, and check the browser errors.  The iframe won't load and there will be an error like :

      Refused to display 'http://server/fmi/webd#filename' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

      Expected result

      If this is going to be blocked point blank by default ( which is probably a good thing ), then it needs to be documented as to how to override the default with a specific server setting to allow this option.

      Exact text of any error message(s) that appear

      Refused to display 'http://server/fmi/webd#filename' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

      Workaround

      Revert to v4 appears to be the only workaround at the moment.

        1 2 Previous Next