Page Cannot be Loaded in Iframe
Posted by Mark [Elevated X Support] on 08 February 2023 10:01 AM
Page Cannot be Loaded in iFrame
Due to the risk of clickjacking attacks, the CMS software by default will no longer allow elements of your site to be loaded into an iframe. More details on what this is, and why, are detailed below.
What is Clickjacking?
Clickjacking happens when an attacker creates a separate site that impersonates your site, then loads your site within an iframe. The attacker is then able to do things like monitor keyboard input and overlay buttons over your site, which can potentially be used for stealing login information.
A more detailed, technical explanation of this is available here:
My Site Uses iFrames, what do I do?
There are a couple mitigation strategies that you can do here:
Globally Changing X-Options-Header
In your CMS Admin Panel, click the gear and go to Global Settings. Under "General Config Options", you'll see a setting called "X-Frame Options". If this value is set to Deny, change it to Same Origin. If this does not work, please change this value to "None". We don't recommend keeping this setting permanently, but setting this temporarily until you find other mitigation strategies.
Per Area in cmsinclude.ini.php
In cmsinclude.ini.php, you can now add an option under [flags] called X_FRAME_OPTIONS. Valid options here are NONE, DENY and SAMEORIGIN.
I use EX Protect within an iFrame
Similarly, Ex Protect allows for similar configuration within the [main] heading in config.php in the /elxprotect/ folder. Valid options here are NONE, DENY and SAMEORIGIN.
I use the CMS Admin Panel within an iFrame
This is no longer supported.