We’ve developed some resources to help you work effectively from home during COVID-19 Click to learn more

online2 environment and X-FRAME-OPTIONS

Hi,

for our webpanel-based Online-applications we're experiencing issues with authentication when it comes to the new online2 environments.

It seemingly worked the other day, but now all three environments (SOD2, Stage and Online2) are unable to iframe their respective login page.

Problem happens when f.instance a webpanel in sod2.superoffice.com redirects to sod.superoffice/login for authentication. The loginpage has the X-FRAME-OPTIONS set to SAMEORIGIN, and is thus blocked when iframed in sod2.superoffice.com.

Is this by design? Should we redirect to sod2.superoffice.com/login instead? If so - should we extract the correct host from the netserver_url?

Frode

RE: online2 environment and X-FRAME-OPTIONS

Just tried this on sod2 for our apps which use a webpanel, we have the same issue... 

This wasn't a problem when we tested our apps with sod2 at the start of January. 

I'm not sure how we are supposed to know which endpoint (online/online2, sod/sod2) to redirect users to for authentication.

Using the netserver_url like Frode said isn't an option since that claim is part of the token you receive after sending a user to the authentication page. We don't know much more than the Customer Context (CustXXXX) of a user before we get a token back.

Please revert this change.

Av: David Hollegien 21. jan 2019

RE: online2 environment and X-FRAME-OPTIONS

Same problem here, our apps were working on Monday last week but logins are now blocked:

Refused to display 'https://sod.superoffice.com/login?app_id=xxx' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

Av: Matthijs Wagemakers 22. jan 2019

RE: online2 environment and X-FRAME-OPTIONS

Hello. 

 

We are currently investigating this and we will be deploying a fix in SOD shortly. 

 

--

HansO

 

 

 

Av: Hans Oluf Waaler 22. jan 2019

RE: online2 environment and X-FRAME-OPTIONS

A fix has been deployed in SOD. Can you check your partner applications and see if it works for you? 

 

Av: Hans Oluf Waaler 22. jan 2019

RE: online2 environment and X-FRAME-OPTIONS

Just did a quick test from my phone, and seems to work in SOD2.

Av: Frode Lillerud 22. jan 2019

RE: online2 environment and X-FRAME-OPTIONS

It works again in Chrome, but Firefox still errors out:

"Load denied by X-Frame-Options: https://sod.superoffice.com/ does not permit framing by https://sod2.superoffice.com/Custxxxxx/."

Av: David Hollegien 22. jan 2019

RE: online2 environment and X-FRAME-OPTIONS

Hi, for me it now works in SOD2 for all browsers I've tested. Chrome, Firefox, Edge and IE.

Av: Frode Lillerud 22. jan 2019

RE: online2 environment and X-FRAME-OPTIONS

When can same fix be applied to Online2?

Av: Frode Lillerud 22. jan 2019

RE: online2 environment and X-FRAME-OPTIONS

It now also works for me in Firefox.

Av: David Hollegien 23. jan 2019

RE: online2 environment and X-FRAME-OPTIONS

Fix is currently pushed to stage / qaonline for smoketest, I used Frodes app to verify that it works fine on the second public endpoint there (stage.superoffice.com) 

If all other tests are ok to we will push this to production this evening.

 

Av: Margrethe Romnes 23. jan 2019

RE: online2 environment and X-FRAME-OPTIONS

Works in Stage now, but not in Online2.

Av: Frode Lillerud 23. jan 2019

RE: online2 environment and X-FRAME-OPTIONS

The fix was deployed to production around 23:45 yesterday. 

 

Av: Hans Oluf Waaler 24. jan 2019

RE: online2 environment and X-FRAME-OPTIONS

Thanks, seems to work in Online2 now!

Av: Frode Lillerud 24. jan 2019

RE: online2 environment and X-FRAME-OPTIONS

Hi!

How did you fix it?

We get issues from customers with integration custom web panel:

Refused to display 'https://dev.businessanalyze.com/Cust11631/apro/analysis/handlers/runtime.aspx?dashboardid=09316d25-1c15-40bf-852e-09b63251c2c7&actiontab=true&tabid=-20171' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

 

Av: Frode Svensson 13. mar 2019

RE: online2 environment and X-FRAME-OPTIONS

Hello,

It may look like your website https://dev.businessanalyze.com/Cust1163 returns the X-FRAME-OPTIONS header.

You have a couple of options:

  • You can dynamically set the allowed origin as described in X-Frame-Options based on the url returned in the claims.
  • You can add the frame-ancestors to the content-security policy with the value https://*.superoffice.com
  • You can disable x-frame-options on your web site.

 

--

HansO

 

Av: Hans Oluf Waaler 13. mar 2019

RE: online2 environment and X-FRAME-OPTIONS

Thx. We found a solution that worked!

Av: Frode Svensson 14. mar 2019