Skip Navigation
Agent Browser UI won't load when embedded in an iFrame
Answer ID 9784   |   Last Review Date 03/18/2019

Why won't Agent Browser UI load when embedded in an iFrame?


Agent Browser UI (BUI)
Oracle B2C Service


In order to prevent security issues, such as clickjacking, there is a requirement to leverage a custom configuration setting for safelisting the iFrame domain(s). Without this setting, you cannot run Agent Browser UI within an iFrame.

Clickjacking is an attack on browser security that can mislead your users into clicking a concealed link. On a clickjacked page, attackers load another page in a transparent layer over your original page. Users think they are clicking visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic one, such as a page from a well-known, reputable business. This makes it possible for attackers to trick your users into performing unintended actions.

If you plan to embed Agent Browser UI within an iFrame, you will be required to keep it secure and avoid clickjacking by following these guidelines:

  1. Agents will need to run at or above the Browser Support requirements.
    Failure to do so will cause issues once you proceed to steps 2 & 3.
  2. Create a custom configuration setting: CUSTOM_CFG_BUI_IFRAME_DOMAIN_LIST
    1. Access Configuration Settings and click New, choosing type of Text.
    2. Name the setting by appending BUI_IFRAME_DOMAIN_LIST to the existing CUSTOM_CFG_ value. Failure to use the correct name will mean this protection is invalid.
    3. Set the following values for this setting and then Save your changes.
      1. Type: Site (or Interface, as preferred)
      2. Required: No
      3. Folder: Custom
      4. Default: leave blank
      5. Maximum Length: as desired for domain listing
      6. Pattern: leave blank
      7. (Suggested) Description: Use this configuration setting to set allowable domains within which the Agent Browser UI can be embedded.
    4. Ensure you enter applicable domain values that you want to safelist in this configuration setting and save those changes. (ie., etc.) When entering more than one domain, separate with a comma (ie.,, etc.).
  3. Embed your Agent Browser UI in an iFrame and begin using the tool from within the iFrame.

Failure to add this configuration setting with appropriate safelisted values will cause Agent Browser UI to not function when embedded within an iFrame.

Path to setting(s): Select Configuration from the navigation area > Site Configuration > Configuration Settings > and search by Key.

For more information, refer to the following resources:
Allowing Customer Portal pages to display in an iframe
Clickjacking protection
Remove the ClickjackPrevention widget from the template
Preventing iFrame security issues