5 Replies Latest reply on Jul 6, 2017 12:47 AM by cdunkake

    Webdirect in iFrame

    cdunkake

      For a project it would be highly desirable to put several complex forms into iFrames to avoid rebuilding the webpage navigation etc.

       

      My research dead ended with a security update in 14.0.4:

      "For FileMaker WebDirect and Custom Web Publishing content to display in <iframe> tags of separate webpages, those webpages must also be hosted by the FileMaker Server web server. Webpages hosted by other web servers cannot use the <iframe> tag to embed FileMaker WebDirect and Custom Web Publishing content."

       

      Is there any way to disable this "security feature" or a way around it?

      Hosting the website on the FMS is definitely not an option.

        • 1. Re: Webdirect in iFrame
          LisaRose

          So you want your own WebDirect content to display in an <iframe> element of an external webpage (hosted on a separate server)? If so, yes, that can be done. But it should be approached very cautiously. Because if your WebDirect solutions are public-facing, then anyone could embed them in their own pages' iframe elements as well. And then potentially lure users to those pages and clickjack them (capture the credentials and data they enter). That is why major sites like Google and Facebook block their content from displaying in iframes of pages hosted on other sites (incl. in web viewers in WebDirect, which use iframes).

           

          At a general level, the restriction is imposed by a parameter called 'X-Frame-Options' with a value of "SAMEORIGIN" in a web server config file under the HTTPServer folder ('web.config' on Win and 'httpd.conf' or 'httpd.conf.2.4' on Mac). Disabling that line would remove the restriction. But it would remove this protection not only from your WebDirect solutions, but also from all other web content served by FileMaker Server (incl. XML & PHP), leaving these solutions potentially vulnerable. So it is strongly discouraged for security reasons (and not supported).

          5 of 5 people found this helpful
          • 2. Re: Webdirect in iFrame
            cdunkake

            Hi Lisa

             

            Thanks!

            Definitely a good hint!

             

            Unfortunately, my httpd.conf (in the Apache2 folder) does not contain an entry for the X-Frame-Options.

             

            The setup is

            OS: macOS 10.12.5

            FMS: 16.0.1

             

            I understand that there is a security risk, but I could only grand the option to specified websites, right?

            X-Frame-Options: DENY

            X-Frame-Options: SAMEORIGIN

            X-Frame-Options: ALLOW-FROM https://example.com/

            X-Frame-Options: ALLOWALL

            • 3. Re: Webdirect in iFrame
              LisaRose

              In FileMaker Server 14.0.4 and later (on macOS), the files that contain this entry are 'httpd.conf' and 'httpd.conf.2.4' in folder: FileMaker Server > HTTPServer > conf (latter file, httpd.conf.2.4, may be one you actually need to edit).

               

              As for what other X-Frame-Options you could set to ensure only known sites can embed your WebDirect content in their iframes, that is not my area of expertise (and would have to be tested either way), so must reiterate this is a "use at your own risk" modification.

              2 of 2 people found this helpful
              • 4. Re: Webdirect in iFrame
                Jason Wood

                Is this public-facing and have you considered the licensing implications? You might want to do this with the API for PHP or the new REST API...

                • 5. Re: Webdirect in iFrame
                  cdunkake

                  The customer has a public website that is visited by consumers and partners.

                  The system I am supposed to build will manage the partners (back office) and to let them manage their details, bills etc. themselves.

                   

                  For the consumer part - Jason - I agree, the licensing implications are prohibitive to use Webdirect - that's why I will upload the necessary data to a mySQL db and let the web developer take it from there.

                  But there are not that many partners and their layout and logic requirements are not that trivial. That's why I would prefer to keep the Webdirect approach to be able to implement changes quickly (for the moment). On the other hand, there is no advantage to re-build the website structure with navigation etc. That's why I think the iFrame approach is ideally suited for this special case.