You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by amalesh paul <am...@gmail.com> on 2017/04/12 07:09:33 UTC
Issue on Ofbiz in Iframe
Hello,
My name is Amalesh, I am using Apache ofbiz 16 version in my
project. For that I imported running ofbiz in to my project through Iframe.
It is not working, when I debug the browser could not able to display the
url because it set 'X-Frame-Options' to 'sameorigin'.
Now I want to remove the x-frame-options from ofbiz, how can I
change the x-frame-options. Or else is there any other way to bring the
ofbiz in to Iframe.
Please let me know the solution for the above problem.
Thank You.
--
*Warm Regards,*
*Amalesh.R*
*9677843593.*
Re: Issue on Ofbiz in Iframe
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Amalesh
You might also be interested by
https://cwiki.apache.org/confluence/display/OFBIZ/How+to+Secure+HTTP+Headers
and
https://issues.apache.org/jira/browse/OFBIZ-6766
But please remember to rather use the user ML for such questions, see why here http://ofbiz.apache.org/mailing-lists.html
You will get a better support and it's more fair to share with everybody
The wider the audience the better the answers you might get
Thanks
Jacques
Le 26/04/2017 � 06:09, Aditya Sharma a �crit :
> Hi Amalesh,
>
> You can also set it in web.xml file of your component as Apache Tomcat has
> already provided the support for that.
>
> Just add *HttpHeaderSecurityFilter* and then you can set these options as
> param.
>
> <filter>
> <display-name>HttpHeaderSecurityFilter</display-name>
> <filter-name>HttpHeaderSecurityFilter</filter-name>
> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
> <init-param>
> <param-name>antiClickJackingOption</param-name>
> <param-value>SAMEORIGIN</param-value>
> </init-param>
> </filter>
>
>
>
> Refer
>
> https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html
>
>
>
>
>
> Thanks & Regards,
> Aditya Sharma
> Enterprise Software Engineer
> HotWax Systems Pvt. Ltd.
> http://www.hotwaxsystems.com/
>
> On Wed, Apr 12, 2017 at 4:53 PM, Deepak Dixit <
> deepak.dixit@hotwaxsystems.com> wrote:
>
>> Hi Amalesh,
>>
>> If you want to render some specific view to iframe then you can set the
>> x-frame-options in view mapping as well.
>>
>> Thanks & Regards
>> --
>> Deepak Dixit
>> www.hotwaxsystems.com
>>
>> On Wed, Apr 12, 2017 at 4:30 PM, Shubham Agrawal <
>> shubham.agrawal@hotwaxsystems.com> wrote:
>>
>>> Hii Amalesh,
>>>
>>> X-Frame-Options is a security implementation which is inserted by the
>>> server in response header. This response header avoids any browser to
>>> render a page in HTML tags like <iframe>.
>>>
>>> According to you, the X-Frame-Options is set to SameOrigin. For your case
>>> to work, I think you can change it to ALLOW-FROM
>> https://website-name.com
>>> To change the X-Frame-Options in OFBiz:
>>>
>>> 1) Traverse to this file
>>> /framework/webapp/src/main/java/org/apache/ofbiz/webapp/
>>> control/RequestHandler.java
>>>
>>> 2) Search for sameorigin.
>>>
>>> 3) Replace sameorigin with ALLOW-FROM https://website-name.com
>>>
>>>
>>>
>>> P.S. - It is not allowed to follow such practice due to security
>> concerns.
>>> You should look for some other way to fulfil your task. Using Iframe is
>>> also not recommended as you are showing the content from the other
>> website
>>> which makes it vulnerable to ClickJacking attacks.
>>>
>>> *Thanks and Regards,*
>>> *Shubham Agrawal*
>>> *Enterprise Software Engineer*
>>> *Hotwax Systems Pvt Ltd*
>>>
>>> On Wed, Apr 12, 2017 at 3:45 PM, Taher Alkhateeb <
>>> slidingfilaments@gmail.com
>>>> wrote:
>>>> Hi Amalesh,
>>>>
>>>> What do you mean by "I imported running ofbiz in to my project through
>>>> Iframe"? I'm not sure I understand what you're referring to?
>>>>
>>>> Cheers,
>>>>
>>>> Taher Alkhateeb
>>>>
>>>> On Wed, Apr 12, 2017 at 10:09 AM, amalesh paul <amalesh.prsa@gmail.com
>>>> wrote:
>>>>
>>>>> Hello,
>>>>> My name is Amalesh, I am using Apache ofbiz 16 version in my
>>>>> project. For that I imported running ofbiz in to my project through
>>>> Iframe.
>>>>> It is not working, when I debug the browser could not able to display
>>> the
>>>>> url because it set 'X-Frame-Options' to 'sameorigin'.
>>>>> Now I want to remove the x-frame-options from ofbiz, how can
>> I
>>>>> change the x-frame-options. Or else is there any other way to bring
>> the
>>>>> ofbiz in to Iframe.
>>>>> Please let me know the solution for the above problem.
>>>>>
>>>>> Thank You.
>>>>>
>>>>> --
>>>>>
>>>>> *Warm Regards,*
>>>>> *Amalesh.R*
>>>>> *9677843593.*
>>>>>
Re: Issue on Ofbiz in Iframe
Posted by Aditya Sharma <ad...@hotwaxsystems.com>.
Hi Amalesh,
You can also set it in web.xml file of your component as Apache Tomcat has
already provided the support for that.
Just add *HttpHeaderSecurityFilter* and then you can set these options as
param.
<filter>
<display-name>HttpHeaderSecurityFilter</display-name>
<filter-name>HttpHeaderSecurityFilter</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
Refer
https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html
Thanks & Regards,
Aditya Sharma
Enterprise Software Engineer
HotWax Systems Pvt. Ltd.
http://www.hotwaxsystems.com/
On Wed, Apr 12, 2017 at 4:53 PM, Deepak Dixit <
deepak.dixit@hotwaxsystems.com> wrote:
> Hi Amalesh,
>
> If you want to render some specific view to iframe then you can set the
> x-frame-options in view mapping as well.
>
> Thanks & Regards
> --
> Deepak Dixit
> www.hotwaxsystems.com
>
> On Wed, Apr 12, 2017 at 4:30 PM, Shubham Agrawal <
> shubham.agrawal@hotwaxsystems.com> wrote:
>
> > Hii Amalesh,
> >
> > X-Frame-Options is a security implementation which is inserted by the
> > server in response header. This response header avoids any browser to
> > render a page in HTML tags like <iframe>.
> >
> > According to you, the X-Frame-Options is set to SameOrigin. For your case
> > to work, I think you can change it to ALLOW-FROM
> https://website-name.com
> >
> > To change the X-Frame-Options in OFBiz:
> >
> > 1) Traverse to this file
> > /framework/webapp/src/main/java/org/apache/ofbiz/webapp/
> > control/RequestHandler.java
> >
> > 2) Search for sameorigin.
> >
> > 3) Replace sameorigin with ALLOW-FROM https://website-name.com
> >
> >
> >
> > P.S. - It is not allowed to follow such practice due to security
> concerns.
> > You should look for some other way to fulfil your task. Using Iframe is
> > also not recommended as you are showing the content from the other
> website
> > which makes it vulnerable to ClickJacking attacks.
> >
> > *Thanks and Regards,*
> > *Shubham Agrawal*
> > *Enterprise Software Engineer*
> > *Hotwax Systems Pvt Ltd*
> >
> > On Wed, Apr 12, 2017 at 3:45 PM, Taher Alkhateeb <
> > slidingfilaments@gmail.com
> > > wrote:
> >
> > > Hi Amalesh,
> > >
> > > What do you mean by "I imported running ofbiz in to my project through
> > > Iframe"? I'm not sure I understand what you're referring to?
> > >
> > > Cheers,
> > >
> > > Taher Alkhateeb
> > >
> > > On Wed, Apr 12, 2017 at 10:09 AM, amalesh paul <amalesh.prsa@gmail.com
> >
> > > wrote:
> > >
> > > > Hello,
> > > > My name is Amalesh, I am using Apache ofbiz 16 version in my
> > > > project. For that I imported running ofbiz in to my project through
> > > Iframe.
> > > > It is not working, when I debug the browser could not able to display
> > the
> > > > url because it set 'X-Frame-Options' to 'sameorigin'.
> > > > Now I want to remove the x-frame-options from ofbiz, how can
> I
> > > > change the x-frame-options. Or else is there any other way to bring
> the
> > > > ofbiz in to Iframe.
> > > > Please let me know the solution for the above problem.
> > > >
> > > > Thank You.
> > > >
> > > > --
> > > >
> > > > *Warm Regards,*
> > > > *Amalesh.R*
> > > > *9677843593.*
> > > >
> > >
> >
>
Re: Issue on Ofbiz in Iframe
Posted by Deepak Dixit <de...@hotwaxsystems.com>.
Hi Amalesh,
If you want to render some specific view to iframe then you can set the
x-frame-options in view mapping as well.
Thanks & Regards
--
Deepak Dixit
www.hotwaxsystems.com
On Wed, Apr 12, 2017 at 4:30 PM, Shubham Agrawal <
shubham.agrawal@hotwaxsystems.com> wrote:
> Hii Amalesh,
>
> X-Frame-Options is a security implementation which is inserted by the
> server in response header. This response header avoids any browser to
> render a page in HTML tags like <iframe>.
>
> According to you, the X-Frame-Options is set to SameOrigin. For your case
> to work, I think you can change it to ALLOW-FROM https://website-name.com
>
> To change the X-Frame-Options in OFBiz:
>
> 1) Traverse to this file
> /framework/webapp/src/main/java/org/apache/ofbiz/webapp/
> control/RequestHandler.java
>
> 2) Search for sameorigin.
>
> 3) Replace sameorigin with ALLOW-FROM https://website-name.com
>
>
>
> P.S. - It is not allowed to follow such practice due to security concerns.
> You should look for some other way to fulfil your task. Using Iframe is
> also not recommended as you are showing the content from the other website
> which makes it vulnerable to ClickJacking attacks.
>
> *Thanks and Regards,*
> *Shubham Agrawal*
> *Enterprise Software Engineer*
> *Hotwax Systems Pvt Ltd*
>
> On Wed, Apr 12, 2017 at 3:45 PM, Taher Alkhateeb <
> slidingfilaments@gmail.com
> > wrote:
>
> > Hi Amalesh,
> >
> > What do you mean by "I imported running ofbiz in to my project through
> > Iframe"? I'm not sure I understand what you're referring to?
> >
> > Cheers,
> >
> > Taher Alkhateeb
> >
> > On Wed, Apr 12, 2017 at 10:09 AM, amalesh paul <am...@gmail.com>
> > wrote:
> >
> > > Hello,
> > > My name is Amalesh, I am using Apache ofbiz 16 version in my
> > > project. For that I imported running ofbiz in to my project through
> > Iframe.
> > > It is not working, when I debug the browser could not able to display
> the
> > > url because it set 'X-Frame-Options' to 'sameorigin'.
> > > Now I want to remove the x-frame-options from ofbiz, how can I
> > > change the x-frame-options. Or else is there any other way to bring the
> > > ofbiz in to Iframe.
> > > Please let me know the solution for the above problem.
> > >
> > > Thank You.
> > >
> > > --
> > >
> > > *Warm Regards,*
> > > *Amalesh.R*
> > > *9677843593.*
> > >
> >
>
Re: Issue on Ofbiz in Iframe
Posted by Shubham Agrawal <sh...@hotwaxsystems.com>.
Hii Amalesh,
X-Frame-Options is a security implementation which is inserted by the
server in response header. This response header avoids any browser to
render a page in HTML tags like <iframe>.
According to you, the X-Frame-Options is set to SameOrigin. For your case
to work, I think you can change it to ALLOW-FROM https://website-name.com
To change the X-Frame-Options in OFBiz:
1) Traverse to this file
/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
2) Search for sameorigin.
3) Replace sameorigin with ALLOW-FROM https://website-name.com
P.S. - It is not allowed to follow such practice due to security concerns.
You should look for some other way to fulfil your task. Using Iframe is
also not recommended as you are showing the content from the other website
which makes it vulnerable to ClickJacking attacks.
*Thanks and Regards,*
*Shubham Agrawal*
*Enterprise Software Engineer*
*Hotwax Systems Pvt Ltd*
On Wed, Apr 12, 2017 at 3:45 PM, Taher Alkhateeb <slidingfilaments@gmail.com
> wrote:
> Hi Amalesh,
>
> What do you mean by "I imported running ofbiz in to my project through
> Iframe"? I'm not sure I understand what you're referring to?
>
> Cheers,
>
> Taher Alkhateeb
>
> On Wed, Apr 12, 2017 at 10:09 AM, amalesh paul <am...@gmail.com>
> wrote:
>
> > Hello,
> > My name is Amalesh, I am using Apache ofbiz 16 version in my
> > project. For that I imported running ofbiz in to my project through
> Iframe.
> > It is not working, when I debug the browser could not able to display the
> > url because it set 'X-Frame-Options' to 'sameorigin'.
> > Now I want to remove the x-frame-options from ofbiz, how can I
> > change the x-frame-options. Or else is there any other way to bring the
> > ofbiz in to Iframe.
> > Please let me know the solution for the above problem.
> >
> > Thank You.
> >
> > --
> >
> > *Warm Regards,*
> > *Amalesh.R*
> > *9677843593.*
> >
>
Re: Issue on Ofbiz in Iframe
Posted by Taher Alkhateeb <sl...@gmail.com>.
Hi Amalesh,
What do you mean by "I imported running ofbiz in to my project through
Iframe"? I'm not sure I understand what you're referring to?
Cheers,
Taher Alkhateeb
On Wed, Apr 12, 2017 at 10:09 AM, amalesh paul <am...@gmail.com>
wrote:
> Hello,
> My name is Amalesh, I am using Apache ofbiz 16 version in my
> project. For that I imported running ofbiz in to my project through Iframe.
> It is not working, when I debug the browser could not able to display the
> url because it set 'X-Frame-Options' to 'sameorigin'.
> Now I want to remove the x-frame-options from ofbiz, how can I
> change the x-frame-options. Or else is there any other way to bring the
> ofbiz in to Iframe.
> Please let me know the solution for the above problem.
>
> Thank You.
>
> --
>
> *Warm Regards,*
> *Amalesh.R*
> *9677843593.*
>