Prevent Customer Portal pages from loading in an iframe

Expand

Collapse

My Service Notifications

Advanced SearchOpens new dialog

Enter plus (+) or minus (-) signs in search terms to make a word required or excluded
Search Tips

Search terms

Screen Reader users press enter to select a Filter by product. Filter by product

Screen Reader users press enter to select a Filter by category. Filter by category

Sort by Direction

Answer ID 12012 | Last Review Date 11/09/2021

How do we prevent Customer Portal pages from loading in an iframe?

Environment:

Oracle B2C Service Customer Portal framework, version 3.4 and higher

Issue:

We want to prevent our end-user pages from being loaded in an iframe without impacting Agent Browser UI functionality.

Resolution:

To restrict both Agent Browser UI (BUI) and Customer Portal pages from being loaded in an iframe, follow Answer 11704: Remove and add security headers through the Oracle B2C Configuration Assistant.

If agents use the Browser UI inside an iframe (via the instructions at Answer 9784), instead use one or both of the following Customer Portal widgets to control the behavior for only the end-user pages. Put the widget or widgets in the <head> section of every template in use.

utils/AdvancedSecurityHeaders

Use the widget parameter content_type_options to set Content-Security-Policy header (CSP). The CSP frame-ancestors directive will control this behavior.

Take care to test your pages thoroughly when modifying Content-Security-Policy since it controls additional behavior such as what external scripts can be loaded.
utils/ClickjackPrevention

Use the widget parameter frame_options to send the X-Frame-Options header as desired.

Cause:

Content-Security-Policy or X-Frame-Options header(s) must be sent for the user's browser to prevent a page from loading in an iframe.

Notes:

You can find the documentation for the widgets in the Customer Portal administration area of your site by using the Widgets dropdown, Browse widgets, Standard. Alternatively, go to https://<your-site>/ci/admin/docs/widgets/standard/utils

Further details on constructing a Content-Security-Policy header can be found at MDN Web Docs (external link). For the case discussed here, you need the frame-ancestors directive. Make sure to review all the available directives and test thoroughly so that you do not block other functionality on your pages with the CSP header.

To access Oracle B2C Service manuals and documentation online, refer to the Documentation for Oracle B2C Service Products.

Loading...

Login

How do we prevent Customer Portal pages from loading in an iframe?

Was this answer helpful?

Still have questions?

Related Answers

Login