How do we prevent Customer Portal pages from loading in an iframe?
<head>
section of every template in use.utils/AdvancedSecurityHeaders
Use the widget parametercontent_type_options
to setContent-Security-Policy
header (CSP). The CSPframe-ancestors
directive will control this behavior.
Take care to test your pages thoroughly when modifyingContent-Security-Policy
since it controls additional behavior such as what external scripts can be loaded.
utils/ClickjackPrevention
Use the widget parameterframe_options
to send theX-Frame-Options
header as desired.
Cause:
Content-Security-Policy
or X-Frame-Options
header(s) must be sent for the user's browser to prevent a page from loading in an iframe.
Notes:
You can find the documentation for the widgets in the Customer Portal administration area of your site by using the Widgets dropdown, Browse widgets, Standard. Alternatively, go to https://<your-site>/ci/admin/docs/widgets/standard/utils
Further details on constructing a Content-Security-Policy
header can be found at MDN Web Docs (external link). For the case discussed here, you need the frame-ancestors directive. Make sure to review all the available directives and test thoroughly so that you do not block other functionality on your pages with the CSP header.
To access Oracle B2C Service manuals and documentation online, refer to the Documentation for Oracle B2C Service Products.