Issue on Ofbiz in Iframe

> Hello,
>         My name is Amalesh, I am using Apache ofbiz 16 version in my
> project. For that I imported running ofbiz in to my project through Iframe.
> It is not working, when I debug the browser could not able to display the
> url because it set 'X-Frame-Options' to 'sameorigin'.
>         Now I want to remove the x-frame-options from ofbiz, how can I
> change the x-frame-options. Or else is there any other way to bring the
> ofbiz in to Iframe.
>         Please let me know the solution for the above problem.
>
> Thank You.
>
> --
>
> *Warm Regards,*
> *Amalesh.R*
> *9677843593.*
>

> Hi Amalesh,
>
> What do you mean by "I imported running ofbiz in to my project through
> Iframe"? I'm not sure I understand what you're referring to?
>
> Cheers,
>
> Taher Alkhateeb
>
> On Wed, Apr 12, 2017 at 10:09 AM, amalesh paul <[hidden email]>
> wrote:
>
> > Hello,
> >         My name is Amalesh, I am using Apache ofbiz 16 version in my
> > project. For that I imported running ofbiz in to my project through
> Iframe.
> > It is not working, when I debug the browser could not able to display the
> > url because it set 'X-Frame-Options' to 'sameorigin'.
> >         Now I want to remove the x-frame-options from ofbiz, how can I
> > change the x-frame-options. Or else is there any other way to bring the
> > ofbiz in to Iframe.
> >         Please let me know the solution for the above problem.
> >
> > Thank You.
> >
> > --
> >
> > *Warm Regards,*
> > *Amalesh.R*
> > *9677843593.*
> >
>

> Hii Amalesh,
>
> X-Frame-Options is a security implementation which is inserted by the
> server in response header. This response header avoids any browser to
> render a page in HTML tags like <iframe>.
>
> According to you, the X-Frame-Options is set to SameOrigin. For your case
> to work, I think you can change it to ALLOW-FROM https://website-name.com
>
> To change the X-Frame-Options in OFBiz:
>
> 1) Traverse to this file
> /framework/webapp/src/main/java/org/apache/ofbiz/webapp/
> control/RequestHandler.java
>
> 2) Search for sameorigin.
>
> 3) Replace sameorigin with ALLOW-FROM https://website-name.com
>
>
>
> P.S. - It is not allowed to follow such practice due to security concerns.
> You should look for some other way to fulfil your task. Using Iframe is
> also not recommended as you are showing the content from the other website
> which makes it vulnerable to ClickJacking attacks.
>
> *Thanks and Regards,*
> *Shubham Agrawal*
> *Enterprise Software Engineer*
> *Hotwax Systems Pvt Ltd*
>
> On Wed, Apr 12, 2017 at 3:45 PM, Taher Alkhateeb <
> [hidden email]
> > wrote:
>
> > Hi Amalesh,
> >
> > What do you mean by "I imported running ofbiz in to my project through
> > Iframe"? I'm not sure I understand what you're referring to?
> >
> > Cheers,
> >
> > Taher Alkhateeb
> >
> > On Wed, Apr 12, 2017 at 10:09 AM, amalesh paul <[hidden email]>
> > wrote:
> >
> > > Hello,
> > >         My name is Amalesh, I am using Apache ofbiz 16 version in my
> > > project. For that I imported running ofbiz in to my project through
> > Iframe.
> > > It is not working, when I debug the browser could not able to display
> the
> > > url because it set 'X-Frame-Options' to 'sameorigin'.
> > >         Now I want to remove the x-frame-options from ofbiz, how can I
> > > change the x-frame-options. Or else is there any other way to bring the
> > > ofbiz in to Iframe.
> > >         Please let me know the solution for the above problem.
> > >
> > > Thank You.
> > >
> > > --
> > >
> > > *Warm Regards,*
> > > *Amalesh.R*
> > > *9677843593.*
> > >
> >
>

> Hi Amalesh,
>
> If you want to render some specific view to iframe then you can set the
> x-frame-options in view mapping as well.
>
> Thanks & Regards
> --
> Deepak Dixit
> www.hotwaxsystems.com
>
> On Wed, Apr 12, 2017 at 4:30 PM, Shubham Agrawal <
> [hidden email]> wrote:
>
> > Hii Amalesh,
> >
> > X-Frame-Options is a security implementation which is inserted by the
> > server in response header. This response header avoids any browser to
> > render a page in HTML tags like <iframe>.
> >
> > According to you, the X-Frame-Options is set to SameOrigin. For your case
> > to work, I think you can change it to ALLOW-FROM
> https://website-name.com
> >
> > To change the X-Frame-Options in OFBiz:
> >
> > 1) Traverse to this file
> > /framework/webapp/src/main/java/org/apache/ofbiz/webapp/
> > control/RequestHandler.java
> >
> > 2) Search for sameorigin.
> >
> > 3) Replace sameorigin with ALLOW-FROM https://website-name.com
> >
> >
> >
> > P.S. - It is not allowed to follow such practice due to security
> concerns.
> > You should look for some other way to fulfil your task. Using Iframe is
> > also not recommended as you are showing the content from the other
> website
> > which makes it vulnerable to ClickJacking attacks.
> >
> > *Thanks and Regards,*
> > *Shubham Agrawal*
> > *Enterprise Software Engineer*
> > *Hotwax Systems Pvt Ltd*
> >
> > On Wed, Apr 12, 2017 at 3:45 PM, Taher Alkhateeb <
> > [hidden email]
> > > wrote:
> >
> > > Hi Amalesh,
> > >
> > > What do you mean by "I imported running ofbiz in to my project through
> > > Iframe"? I'm not sure I understand what you're referring to?
> > >
> > > Cheers,
> > >
> > > Taher Alkhateeb
> > >
> > > On Wed, Apr 12, 2017 at 10:09 AM, amalesh paul <[hidden email]
> >
> > > wrote:
> > >
> > > > Hello,
> > > >         My name is Amalesh, I am using Apache ofbiz 16 version in my
> > > > project. For that I imported running ofbiz in to my project through
> > > Iframe.
> > > > It is not working, when I debug the browser could not able to display
> > the
> > > > url because it set 'X-Frame-Options' to 'sameorigin'.
> > > >         Now I want to remove the x-frame-options from ofbiz, how can
> I
> > > > change the x-frame-options. Or else is there any other way to bring
> the
> > > > ofbiz in to Iframe.
> > > >         Please let me know the solution for the above problem.
> > > >
> > > > Thank You.
> > > >
> > > > --
> > > >
> > > > *Warm Regards,*
> > > > *Amalesh.R*
> > > > *9677843593.*
> > > >
> > >
> >
>

> Hi Amalesh,
>
> You can also set it in web.xml file of your component as Apache Tomcat has
> already provided the support for that.
>
> Just add *HttpHeaderSecurityFilter* and then you can set these options as
> param.
>
> <filter>
>      <display-name>HttpHeaderSecurityFilter</display-name>
>      <filter-name>HttpHeaderSecurityFilter</filter-name>
>      <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
>      <init-param>
>          <param-name>antiClickJackingOption</param-name>
>          <param-value>SAMEORIGIN</param-value>
>      </init-param>
> </filter>
>
>
>
> Refer
>
> https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html
>
>
>
>
>
> Thanks & Regards,
> Aditya Sharma
> Enterprise Software Engineer
> HotWax Systems Pvt. Ltd.
> http://www.hotwaxsystems.com/
>
> On Wed, Apr 12, 2017 at 4:53 PM, Deepak Dixit <
> [hidden email]> wrote:
>
>> Hi Amalesh,
>>
>> If you want to render some specific view to iframe then you can set the
>> x-frame-options in view mapping as well.
>>
>> Thanks & Regards
>> --
>> Deepak Dixit
>> www.hotwaxsystems.com
>>
>> On Wed, Apr 12, 2017 at 4:30 PM, Shubham Agrawal <
>> [hidden email]> wrote:
>>
>>> Hii Amalesh,
>>>
>>> X-Frame-Options is a security implementation which is inserted by the
>>> server in response header. This response header avoids any browser to
>>> render a page in HTML tags like <iframe>.
>>>
>>> According to you, the X-Frame-Options is set to SameOrigin. For your case
>>> to work, I think you can change it to ALLOW-FROM
>> https://website-name.com
>>> To change the X-Frame-Options in OFBiz:
>>>
>>> 1) Traverse to this file
>>> /framework/webapp/src/main/java/org/apache/ofbiz/webapp/
>>> control/RequestHandler.java
>>>
>>> 2) Search for sameorigin.
>>>
>>> 3) Replace sameorigin with ALLOW-FROM https://website-name.com
>>>
>>>
>>>
>>> P.S. - It is not allowed to follow such practice due to security
>> concerns.
>>> You should look for some other way to fulfil your task. Using Iframe is
>>> also not recommended as you are showing the content from the other
>> website
>>> which makes it vulnerable to ClickJacking attacks.
>>>
>>> *Thanks and Regards,*
>>> *Shubham Agrawal*
>>> *Enterprise Software Engineer*
>>> *Hotwax Systems Pvt Ltd*
>>>
>>> On Wed, Apr 12, 2017 at 3:45 PM, Taher Alkhateeb <
>>> [hidden email]
>>>> wrote:
>>>> Hi Amalesh,
>>>>
>>>> What do you mean by "I imported running ofbiz in to my project through
>>>> Iframe"? I'm not sure I understand what you're referring to?
>>>>
>>>> Cheers,
>>>>
>>>> Taher Alkhateeb
>>>>
>>>> On Wed, Apr 12, 2017 at 10:09 AM, amalesh paul <[hidden email]
>>>> wrote:
>>>>
>>>>> Hello,
>>>>>          My name is Amalesh, I am using Apache ofbiz 16 version in my
>>>>> project. For that I imported running ofbiz in to my project through
>>>> Iframe.
>>>>> It is not working, when I debug the browser could not able to display
>>> the
>>>>> url because it set 'X-Frame-Options' to 'sameorigin'.
>>>>>          Now I want to remove the x-frame-options from ofbiz, how can
>> I
>>>>> change the x-frame-options. Or else is there any other way to bring
>> the
>>>>> ofbiz in to Iframe.
>>>>>          Please let me know the solution for the above problem.
>>>>>
>>>>> Thank You.
>>>>>
>>>>> --
>>>>>
>>>>> *Warm Regards,*
>>>>> *Amalesh.R*
>>>>> *9677843593.*
>>>>>