Question:
Why is the URL integration not displayed in an iframe?
Basics about iframes:
An iframe is an HTML element that allows you to embed one webpage within another webpage.
A URL integration is part of the DocuWare WebClient.
To embed a URL integration in another webpage, you need three parts:
- The address of the URL integration
- An iframe HTML element in your webpage
- Embedding permission: The browser requires permission information from the embedded webpage. This permission is shared through headers. The header configuration is done on the server that hosts the DocuWare frontend.
Grant embedding permission:
If the host (URL), port, or protocol of DocuWare and your webpage differs, you must grant permission.
- From DocuWare 6.5 to DocuWare 7.10 > To the instructions
- From DocuWare 7.11 > To the instructions
- With SSO login from an external provider
- In this case, you need additional permission from your external SSO provider, besides point 1 or 2, because you redirect your users for authentication to the provider's server.
The permission is granted via CORS policy in the DocuWare\Web\Platform appsettings.json file.
The base structure of the JSON file includes the key for this purpose: SecuritySettings
"SecuritySettings": {
"ContentSecurityPolicy": "frame-ancestors 'self'",
"Cors": {
"Enabled": false,
"AllowedOrigins": ""
}
},https://knowledgecenter.docuware.com/docs/install-docuware-on-premises-version-711#securitysettings
DocuWare 6.5 to DocuWare 7.10
In DocuWare 6.5 to 7.10, permission can be granted by configuring X-Frame-Options. Configuring X-Frame-Options can serve as an ad-hoc workaround to enable embedding. However, this increases the vulnerability of the webpage to cross-site attacks and poses a security risk. Technically speaking, the browser no longer receives instructions from the DocuWare webpage to prevent embedding when DocuWare is embedded in a webpage with a different URL through the below configuration.
- Secure the file "C:\Program Files\DocuWare\Web\Platform\Web.config"
Or older versions "C:\Program Files (x86)\DocuWare\Web\Platform\Web.config" - Open the file "Web.config"
- Find the following entry:
<location path="WebClient">
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>
</location> - Remove this entry or comment it out (as in this example):
<!--<location path="WebClient">
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>
</location> --> - Save your changes
- A component restart is not required!
The Web Client can now be displayed in a cross domain iframe.
If you are using DocuWare 6.5, you must also install Hotfix 21:
https://dwsupport.blob.core.windows.net/supportdownloads/hotfixes/6.5/DW6.5_Hot21.zip
CORS provides more security. Setting up CORS or proxy servers is a technical matter that must be conducted by your own server administrator or IT service provider.
DocuWare is not responsible for the configuration or operation of your server or network. DocuWare only offers the Web Client as a software solution that you can install and use on your server.
Warning: If you disable the X-Frame-Options SAMEORIGIN, you open a security vulnerability. This allows attackers to send requests from other origins and exploit it as cross-site scripting.
Therefore, we recommend to keep the SAMEORIGIN option and operate both applications (where DocuWare is embedded as an iframe and DocuWare itself) on the same server.
The latest generation browsers also prohibit cross-domain communications without HTTPS.
Therefore, since DocuWare 7.4, HTTP no longer supports the use of DocuWare within an iframe (except in Firefox or when the iframe domain is identical to the browser domain).
See technical changes in DocuWare 7.4