Adobe Experience Manager Sites & More

sunily21159739 · 12/16/21

Hi All,

I have developed my application on AEM6.4 and now I need to access my application by another application through iframe, when I am trying to access my AEM application through iframe, I am getting below error:

as expected X-Frame-Options: SAMEORIGON

I have updated configuration at dispatcher level like:

X-Frame-Options: ALLOW-FROM https://mynonaemapplication.com

but after updating like this, it allows to all other applications to access my AEM application by iframe and looks like not recommended or not secure.

Please advice how can I access my AEM application by other application through iframe.

Thanks

arunpatidar · 12/21/21

Hi,

You can add this at code or dispatcher/apache level as well.

The easiest is to add at apache level.

x-frame-options: https://mynonaemapplication.com

Arun Patidar

View solution in original post

Rasheed · 12/16/21

try checking on the Apache Sling Referrer filter where in you can restrict who get to access your AEM env.

The Sling Referrer Filter {#the-sling-referrer-filter}

To address known security issues with Cross-Site Request Forgery (CSRF) in CRX WebDAV and Apache Sling you need to add configurations for the Referrer filter in order to use it.

The referrer filter service is an OSGi service that allows you to configure:

which http methods should be filtered
whether an empty referrer header is allowed
and a list of servers to be allowed in addition to the server host.
By default, all variations of localhost and the current host names the server is bound to are in the list.

Source: experience-manager-65.en/security-checklist.md at master · AdobeDocs/experience-manager-65.en · GitH...

Good Luck

Abdul

sunily21159739 · 12/17/21

thanks Abdul, in our case we are using multitenant architecture and three applications running on the same AEM instance, is it safe to do update on OSGI level?

Regards

arunpatidar · 12/18/21

Hi,

You should do this site level as well, for your site or subsite add below header

x-frame-options: https://mynonaemapplication.com https://external2.domain.com

Arun Patidar

sunily21159739 · 12/20/21

Hi Arun,

Thanks for the response, do I need to add this "

x-frame-options: https://mynonaemapplication.com https://external2.domain.com

" at dispatcher level or on code level?

arunpatidar · 12/21/21

Hi,

You can add this at code or dispatcher/apache level as well.

The easiest is to add at apache level.

x-frame-options: https://mynonaemapplication.com

Arun Patidar

ShifGRO23 · 8/7/23

Hi @arunpatidar ,

What can we do in case of Author where apache/dispatcher config is not available for AEM Author as cloud service, it is only configurable for publish instances.

I want to embed author URL in iframe (using acs common integration of AEM assets with MS office).

ShifGRO23 · 8/7/23

@Raja-kp Could you please suggest?

arunpatidar · 8/8/23

AEM as a cloud service, the author is always behind the dispatcher, you can add that header easily from dispatcher config file.

Arun Patidar

ShifGRO23 · 8/8/23

@arunpatidar, In all the documents available from Adobe I could see they have mentioned how you can configure your dispatcher with publish instance, nothing is there for Author (as cloud service). You can also check this architectural diagram available in the official documents..

arunpatidar · 8/9/23

I also can't see that, but I think you access author via domain not with IP:PORT, so it goes via dispatcher, can you try adding those in author vhost file.

Arun Patidar

Raja-kp · 12/24/21

@sunily21159739 Please try this below rule by adding in virtual host file:

Header always append X-Frame-Options "ALLOW-FROM http:// <external domain.com>"

Regards,

Raja

sunily21159739 · 1/5/22

thanks everyone for help and suggestions.

Adobe Experience Manager Sites & More

X-Frame-Options: SAMEORIGON issue

Arun Patidar

The Sling Referrer Filter {#the-sling-referrer-filter}

Arun Patidar

Arun Patidar

Arun Patidar

Arun Patidar

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe