5 of 5 people found this helpful
So you want your own WebDirect content to display in an <iframe> element of an external webpage (hosted on a separate server)? If so, yes, that can be done. But it should be approached very cautiously. Because if your WebDirect solutions are public-facing, then anyone could embed them in their own pages' iframe elements as well. And then potentially lure users to those pages and clickjack them (capture the credentials and data they enter). That is why major sites like Google and Facebook block their content from displaying in iframes of pages hosted on other sites (incl. in web viewers in WebDirect, which use iframes).
At a general level, the restriction is imposed by a parameter called 'X-Frame-Options' with a value of "SAMEORIGIN" in a web server config file under the HTTPServer folder ('web.config' on Win and 'httpd.conf' or 'httpd.conf.2.4' on Mac). Disabling that line would remove the restriction. But it would remove this protection not only from your WebDirect solutions, but also from all other web content served by FileMaker Server (incl. XML & PHP), leaving these solutions potentially vulnerable. So it is strongly discouraged for security reasons (and not supported).
Definitely a good hint!
Unfortunately, my httpd.conf (in the Apache2 folder) does not contain an entry for the X-Frame-Options.
The setup is
OS: macOS 10.12.5
I understand that there is a security risk, but I could only grand the option to specified websites, right?
X-Frame-Options: ALLOW-FROM https://example.com/
2 of 2 people found this helpful
In FileMaker Server 14.0.4 and later (on macOS), the files that contain this entry are 'httpd.conf' and 'httpd.conf.2.4' in folder: FileMaker Server > HTTPServer > conf (latter file, httpd.conf.2.4, may be one you actually need to edit).
As for what other X-Frame-Options you could set to ensure only known sites can embed your WebDirect content in their iframes, that is not my area of expertise (and would have to be tested either way), so must reiterate this is a "use at your own risk" modification.
Is this public-facing and have you considered the licensing implications? You might want to do this with the API for PHP or the new REST API...
The customer has a public website that is visited by consumers and partners.
The system I am supposed to build will manage the partners (back office) and to let them manage their details, bills etc. themselves.
For the consumer part - Jason - I agree, the licensing implications are prohibitive to use Webdirect - that's why I will upload the necessary data to a mySQL db and let the web developer take it from there.
But there are not that many partners and their layout and logic requirements are not that trivial. That's why I would prefer to keep the Webdirect approach to be able to implement changes quickly (for the moment). On the other hand, there is no advantage to re-build the website structure with navigation etc. That's why I think the iFrame approach is ideally suited for this special case.