X-Frame-Options: SAMEORIGON issue | Community
Skip to main content
sunily21159739
sunily21159739
Level 2
December 16, 2021
Solved

X-Frame-Options: SAMEORIGON issue

  • December 16, 2021
  • 3 replies
  • 5951 views

Hi All,

I have developed my application on AEM6.4 and now I need to access my application by another application through iframe, when I am trying to access my AEM application through iframe, I am getting below error:

as expected X-Frame-Options: SAMEORIGON

I have updated configuration at dispatcher level like:

X-Frame-Options: ALLOW-FROM https://mynonaemapplication.com

but after updating like this, it allows to all other applications to access my AEM application by iframe and looks like not recommended or not secure.

Please advice how can I access my AEM application by other application through iframe.

 

Thanks

 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by arunpatidar

Hi,

You can add this at code or dispatcher/apache level as well.

The easiest is to add at apache level.

x-frame-options: https://mynonaemapplication.com

3 replies

R
Rasheed
Level 2
December 17, 2021

try checking on the Apache Sling Referrer filter where in you can restrict who get to access your AEM env.

 

The Sling Referrer Filter {#the-sling-referrer-filter}

To address known security issues with Cross-Site Request Forgery (CSRF) in CRX WebDAV and Apache Sling you need to add configurations for the Referrer filter in order to use it.

The referrer filter service is an OSGi service that allows you to configure:

  • which http methods should be filtered

  • whether an empty referrer header is allowed

  • and a list of servers to be allowed in addition to the server host.

    By default, all variations of localhost and the current host names the server is bound to are in the list.

Source: experience-manager-65.en/security-checklist.md at master · AdobeDocs/experience-manager-65.en · GitHub

 

Good Luck

Abdul

    sunily21159739
    sunily21159739Author
    Level 2
    December 17, 2021

    thanks Abdul, in our case we are using multitenant architecture and three applications running on the same AEM instance, is it safe to do update on OSGI level?

     

     

     

    Regards 

      arunpatidar
      Community Advisor
      arunpatidarCommunity Advisor
      Community Advisor
      December 18, 2021

      Hi,

      You should do this site level as well, for your site or subsite add below header

       

      x-frame-options: https://mynonaemapplication.com https://external2.domain.com

       

       

      Arun Patidar
        sunily21159739
        sunily21159739Author
        Level 2
        December 21, 2021

        Hi Arun,

        Thanks for the response, do I need to add this "

        x-frame-options: https://mynonaemapplication.com https://external2.domain.com

        " at dispatcher level or on code level?

         

          arunpatidar
          Community Advisor
          arunpatidarCommunity AdvisorAccepted solution
          Community Advisor
          December 21, 2021

          Hi,

          You can add this at code or dispatcher/apache level as well.

          The easiest is to add at apache level.

          x-frame-options: https://mynonaemapplication.com
          Arun Patidar
            Raja-Karuppsamy
            Community Advisor
            Raja-KaruppsamyCommunity Advisor
            Community Advisor
            December 25, 2021

            @sunily21159739 Please try this below rule by adding in virtual host file:

            Header always append X-Frame-Options "ALLOW-FROM  http:// <external domain.com>"

             

            Regards,

            Raja

              sunily21159739
              sunily21159739Author
              Level 2
              January 5, 2022

              thanks everyone for help and suggestions.

              Terms & ConditionsAccessibility statement

              Loading footer...