When multiple Web Client site domains are configured on a single SmartPlant Foundation application server site, you can experience issues when your system is deployed using X-Frame-Options headers. The X-Frame-Options HTTP response security header can be used to secure the application server site and indicates whether or not a browser is allowed to render a page.
Problem
When there are multiple Web Client site domains configured on a single SmartPlant Foundation application server with X-Frame-Options headers, functionality is restricted. This is because the X-Frame-Options headers only allow domain access from a single domain. For example:
-
When the domain does not match any of the allowed white-list Web Client domains, the server response X-Frame-Options header returns X-Frame-Options: SAMEORIGIN.
-
When the configuration item is not set or the X-Frame-Options header is left empty, the server response X-Frame-Options header returns No X-Frame-Options.
Solution
When your system is deployed with multiple Web Client domains and you enforce the X-Frame-Options security header, you can use the FrameOptionsWhiteList configuration item to dynamically return the correct X-Frame-Options header.
The domains set must be based on the allowed white-list of Web Client site domains in your system. The domains can be set in the Web.config file of the server site:
<add key="FrameOptionsWhiteList" value="domain1, domain2" />
For example:
-
If the request header is from https://domain1/some-url, then the X-Frame-Options header response would be X-Frame-Options: ALLOW-FROM https://domain1.
-
If the request header is from https://domain2/some-url, then the X-Frame-Options header response would be X-Frame-Options: ALLOW-FROM https://domain2.