Question

Content in iFrame in Mendix blocked because of X-Frame-Options set to sameorigin.

0

I’m trying to embed an iframe in Mendix 9 with the IFrame Component to show a dashboard from an external BI-tool (Qlik Sense). The content in de frame is blocked by the browser because the user is redirected by Qlik Sense to an external identity provider (Okta) for authentication. The reason seems to be the x-frame-option set to ‘sameorigin’. How can I resolve this issue?

asked 2021-10-18

Steven Samuels Brusse

2 answers

Thomas Lindenhofer · Answer 1 · 2021-10-25

The header is set by Qlik. So you keed to change this on Qlik side. But I am not sure if this fixes your problem. When it is allowed to embed the site in an iframe, I assume you will still get a redirection (in the iframe) if the user is not yet authenticated.

elon vengas · Answer 2 · 2022-09-12

X-Frame-Options is a header included in the response to the request to state if the domain requested will allow itself to be displayed within a frame. It has nothing to do with javascript or HTML, and cannot be changed by the originator of the request. You can't set X-Frame-Options on the iframe. That is a response header set by the domain from which you are requesting the resource . They have set the header to SAMEORIGIN in this case, which means that they have disallowed loading of the resource in an iframe outside of their domain. So you cannot embed their website into yours. Browsers when see that the response header contains X-Frame-Options: SAMEORIGIN, they check your domain and block the rendering of the <iframe>. It is a security measure to avoid clickjacking.