Page Cannot be Loaded in iFrame

Due to the risk of clickjacking attacks, the CMS software by default will no longer allow elements of your site to be loaded into an iframe. More details on what this is, and why, are detailed below.

What is Clickjacking?

Clickjacking happens when an attacker creates a separate site that impersonates your site, then loads your site within an iframe. The attacker is then able to do things like monitor keyboard input and overlay buttons over your site, which can potentially be used for stealing login information.

A more detailed, technical explanation of this is available here:

https://owasp.org/www-community/attacks/Clickjacking

My Site Uses iFrames, what do I do?

There are a couple mitigation strategies that you can do here:

Globally Changing X-Options-Header

In your CMS Admin Panel, click the gear and go to Global Settings. Under "General Config Options", you'll see a setting called "X-Frame Options". If this value is set to Deny, change it to Same Origin. If this does not work, please change this value to "None". We don't recommend keeping this setting permanently, but setting this temporarily until you find other mitigation strategies.

• None: Allow site to be loaded from all sites.
• Same Origin: If you specify this, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.
• Deny: Deny page from being loaded within iFrame.

Per Area in cmsinclude.ini.php

In cmsinclude.ini.php, you can now add an option under [flags] called X_FRAME_OPTIONS. Valid options here are NONE, DENY and SAMEORIGIN.

I use EX Protect within an iFrame

Similarly, Ex Protect allows for similar configuration within the [main] heading in config.php in the /elxprotect/ folder. Valid options here are NONE, DENY and SAMEORIGIN.

I use the CMS Admin Panel within an iFrame

This is no longer supported.