Revision history - Axon.ivy

**Secure Headers** By default an Axon.ivy engine will block request that come from an IFRAME of another webserver. This is done with the HttpSecurityHeaderFilter that is configured in the `[designerORengine]/webapps/ivy/WEB-INF/web.xml`. ![default config][1] **Where to configure secure headers** Security headers are normally configured on a front-end webserver such as NginX or IIS. The ~~actualy enforcement of the~~ policies are ~~done by~~ the enforcedby the webBrowser of the ~~client.~~ client (at least on modern browsers). We definitively recommend to set headers such as the `Content-Security-Policy` or `X-Frame-Options` on a front-end webserver - not on the embedded ivy Tomcat. However. This tutorial tells you how to deal with this headers if you do not have a front-end webserver. ---------- **Allow a single domain access** To enable a specific domain to access Axon.ivy content the init parameters of the HttpSecurityHeaderFilter must be adjusted as follows: <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> This will set the HTTP response header `X-Frame-Options: ALLOW-FROM http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com`. **[Enable the content-security-policy][2]** Unfortunately the X-FRAME-OPTIONS header is [not interpreted by Chrome][3]. Therefore the access from any Domain is possible when the client uses Chrome. ![chromeIgnoreXFrameOpts][4] To restrict it for modern Browsers the HTTP response header `Content-Security-Policy` has to be set as well. This can be achieved with a [ContentSecurityPolicyFilter][5]. Copy the [JAR][6] with this filter into `[designerORengine]/webapps/ivy/WEB-INF/lib`. Afterwards the filter can be added and configured in the `web.xml`. <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> </filter> **Verify the solution** Try to embedd Axon.ivy in an IFRAME from a not whitelisted domain should end in a clear error in the browser console. And no content should be visible in the frame. In any request fired against the Axon.ivy Engine the response header `Content-Disposition-Policy: frame-ancestors https://myParentDomain.com` should be visible. ![cspBlockFirefox][7]![cspBlockChrome][8] Full Web.xml: <filter-mapping> <filter-name>httpSecurityHeaders</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> <filter> <filter-name>httpSecurityHeaders</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com</param-value> </init-param> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>blockContentTypeSniffingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>xssProtectionEnabled</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com</param-value> </init-param> </filter> [1]: https://answers.axonivy.com/upfiles/allowOnlyFramesFromOwnWebserver.png [2]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors [3]: https://bugs.chromium.org/p/chromium/issues/detail?id=129139 [4]: https://answers.axonivy.com/upfiles/chromeInvalidXFrameOpt.png [5]: https://github.com/ivy-samples/ContentSecurityPolicyFilter [6]: https://github.com/ivy-samples/ContentSecurityPolicyFilter/releases/download/2.0.1-SNAPSHOT/ContentSecurityPolicyFilter-2.0.1-SNAPSHOT.jar [7]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_firefox.png [8]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_chrome.png

**Secure Headers** By default an Axon.ivy engine will block request that come from an IFRAME of another webserver. This is done with the HttpSecurityHeaderFilter that is configured in the `[designerORengine]/webapps/ivy/WEB-INF/web.xml`. ![default config][1] **Where to configure secure headers** Security headers are normally configured ~~and enforced by~~ on a front-end webserver such as NginX or IIS. ~~And we~~ The actualy enforcement of the policies are done by the webBrowser of the client. We definitively recommend to set headers such as the `Content-Security-Policy` or `X-Frame-Options` on a front-end webserver - not on the embedded ivy Tomcat. However. This tutorial tells you how to deal with this headers if you do not have a front-end webserver. ---------- **Allow a single domain access** To enable a specific domain to access Axon.ivy content the init parameters of the HttpSecurityHeaderFilter must be adjusted as follows: <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> This will set the HTTP response header `X-Frame-Options: ALLOW-FROM http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com`. **[Enable the content-security-policy][2]** Unfortunately the X-FRAME-OPTIONS header is [not interpreted by Chrome][3]. Therefore the access from any Domain is possible when the client uses Chrome. ![chromeIgnoreXFrameOpts][4] To restrict it for modern Browsers the HTTP response header `Content-Security-Policy` has to be set as well. This can be achieved with a [ContentSecurityPolicyFilter][5]. Copy the [JAR][6] with this filter into `[designerORengine]/webapps/ivy/WEB-INF/lib`. Afterwards the filter can be added and configured in the `web.xml`. <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> </filter> **Verify the solution** Try to embedd Axon.ivy in an IFRAME from a not whitelisted domain should end in a clear error in the browser console. And no content should be visible in the frame. In any request fired against the Axon.ivy Engine the response header `Content-Disposition-Policy: frame-ancestors https://myParentDomain.com` should be visible. ![cspBlockFirefox][7]![cspBlockChrome][8] Full Web.xml: <filter-mapping> <filter-name>httpSecurityHeaders</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> <filter> <filter-name>httpSecurityHeaders</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com</param-value> </init-param> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>blockContentTypeSniffingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>xssProtectionEnabled</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com</param-value> </init-param> </filter> [1]: https://answers.axonivy.com/upfiles/allowOnlyFramesFromOwnWebserver.png [2]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors [3]: https://bugs.chromium.org/p/chromium/issues/detail?id=129139 [4]: https://answers.axonivy.com/upfiles/chromeInvalidXFrameOpt.png [5]: https://github.com/ivy-samples/ContentSecurityPolicyFilter [6]: https://github.com/ivy-samples/ContentSecurityPolicyFilter/releases/download/2.0.1-SNAPSHOT/ContentSecurityPolicyFilter-2.0.1-SNAPSHOT.jar [7]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_firefox.png [8]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_chrome.png

**Secure Headers** By default an Axon.ivy engine will block request that come from an IFRAME of another webserver. This is done with the HttpSecurityHeaderFilter that is configured in the `[designerORengine]/webapps/ivy/WEB-INF/web.xml`. ![default config][1] **Where to configure secure headers** Security headers are normally configured and enforced by a front-end webserver such as NginX or IIS. And we definitively recommend to set headers such as the `Content-Security-Policy` or `X-Frame-Options` on a front-end webserver - not on the embedded ivy Tomcat. However. This tutorial tells you how to deal with this headers if you do not have a front-end webserver. ---------- **Allow a single domain access** To enable a specific domain to access Axon.ivy content the init parameters of the HttpSecurityHeaderFilter must be adjusted as follows: <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> This will set the HTTP response header `X-Frame-Options: ALLOW-FROM http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com`. **[Enable the content-security-policy][2]** Unfortunately the X-FRAME-OPTIONS header is [not interpreted by Chrome][3]. Therefore the access from any Domain is possible when the client uses Chrome. ![chromeIgnoreXFrameOpts][4] To restrict it for modern Browsers the HTTP response header `Content-Security-Policy` has to be set as well. This can be achieved with a [ContentSecurityPolicyFilter][5]. Copy the [JAR][6] with this filter into `[designerORengine]/webapps/ivy/WEB-INF/lib`. Afterwards the filter can be added and configured in the `web.xml`. <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> </filter> **Verify the solution** Try to embedd Axon.ivy in an IFRAME from a not whitelisted domain should end in a clear error in the browser console. And no content should be visible in the frame. In any request fired against the Axon.ivy Engine the response header `Content-Disposition-Policy: frame-ancestors https://myParentDomain.com` should be visible. ![cspBlockFirefox][7]![cspBlockChrome][8] Full Web.xml: <filter-mapping> <filter-name>httpSecurityHeaders</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> <filter> <filter-name>httpSecurityHeaders</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com</param-value> </init-param> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>blockContentTypeSniffingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>xssProtectionEnabled</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com</param-value> </init-param> </filter> [1]: https://answers.axonivy.com/upfiles/allowOnlyFramesFromOwnWebserver.png [2]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors [3]: https://bugs.chromium.org/p/chromium/issues/detail?id=129139 [4]: https://answers.axonivy.com/upfiles/chromeInvalidXFrameOpt.png [5]: https://github.com/ivy-samples/ContentSecurityPolicyFilter [6]: https://github.com/ivy-samples/ContentSecurityPolicyFilter/releases/download/2.0.1-SNAPSHOT/ContentSecurityPolicyFilter-2.0.1-SNAPSHOT.jar [7]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_firefox.png [8]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_chrome.png

By default an Axon.ivy engine will block request that come from an IFRAME of another webserver. This is done with the HttpSecurityHeaderFilter that is configured in the `[designerORengine]/webapps/ivy/WEB-INF/web.xml`. ![default config][1] **Allow a single domain access** To enable a specific domain to access Axon.ivy content the init parameters of the HttpSecurityHeaderFilter must be adjusted as follows: <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> This will set the HTTP response header `X-Frame-Options: ALLOW-FROM http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com`. **[Enable the content-security-policy][1]**content-security-policy][2]** Unfortunately the X-FRAME-OPTIONS header is [not interpreted by ~~Chrome][2].~~ Chrome][3]. Therefore the access from any Domain is possible when the client uses Chrome. ~~![chromeIgnoreXFrameOpts][3]~~![chromeIgnoreXFrameOpts][4] To restrict it for modern Browsers the HTTP response header `Content-Security-Policy` has to be set as well. This can be achieved with a ~~[ContentSecurityPolicyFilter][4].~~ [ContentSecurityPolicyFilter][5]. Copy the ~~[JAR][5]~~ [JAR][6] with this filter into `[designerORengine]/webapps/ivy/WEB-INF/lib`. Afterwards the filter can be added and configured in the `web.xml`. <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> </filter> **Verify the solution** Try to embedd Axon.ivy in an IFRAME from a not whitelisted domain should end in a clear error in the browser console. And no content should be visible in the frame. In any request fired against the Axon.ivy Engine the response header `Content-Disposition-Policy: frame-ancestors https://myParentDomain.com` should be visible. ~~![cspBlockFirefox][6]![cspBlockChrome][7]~~![cspBlockFirefox][7]![cspBlockChrome][8] Full Web.xml: <filter-mapping> <filter-name>httpSecurityHeaders</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> <filter> <filter-name>httpSecurityHeaders</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com</param-value> </init-param> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>blockContentTypeSniffingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>xssProtectionEnabled</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com</param-value> </init-param> </filter> [1]: https://answers.axonivy.com/upfiles/allowOnlyFramesFromOwnWebserver.png [2]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors ~~[2]:~~ [3]: https://bugs.chromium.org/p/chromium/issues/detail?id=129139 ~~[3]:~~ [4]: https://answers.axonivy.com/upfiles/chromeInvalidXFrameOpt.png ~~[4]:~~ [5]: https://github.com/ivy-samples/ContentSecurityPolicyFilter ~~[5]:~~ [6]: https://github.com/ivy-samples/ContentSecurityPolicyFilter/releases/download/2.0.1-SNAPSHOT/ContentSecurityPolicyFilter-2.0.1-SNAPSHOT.jar ~~[6]:~~ [7]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_firefox.png ~~[7]:~~ [8]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_chrome.png

By default an Axon.ivy engine will block request that come from an IFRAME of another webserver. This is done with the HttpSecurityHeaderFilter that is configured in the `[designerORengine]/webapps/ivy/WEB-INF/web.xml`. To enable a specific domain to access Axon.ivy content the init parameters of the HttpSecurityHeaderFilter must be adjusted as follows: <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> This will set the HTTP response header `X-Frame-Options: ALLOW-FROM http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com`. **[Enable the content-disposition-policy][1]**content-security-policy][1]** Unfortunately the X-FRAME-OPTIONS header is [not interpreted by Chrome][2]. Therefore the access from any Domain is possible when the client uses Chrome. ![chromeIgnoreXFrameOpts][3] To restrict it for modern Browsers the HTTP response header `Content-Security-Policy` has to be set as well. This can be achieved with a [ContentSecurityPolicyFilter][4]. Copy the [JAR][5] with this filter into `[designerORengine]/webapps/ivy/WEB-INF/lib`. Afterwards the filter can be added and configured in the `web.xml`. <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> </filter> **Verify the solution** Try to embedd Axon.ivy in an IFRAME from a not whitelisted domain should end in a clear error in the browser console. And no content should be visible in the frame. In any request fired against the Axon.ivy Engine the response header `Content-Disposition-Policy: frame-ancestors https://myParentDomain.com` should be visible. ![cspBlockFirefox][6]![cspBlockChrome][7] Full Web.xml: <filter-mapping> <filter-name>httpSecurityHeaders</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> <filter> <filter-name>httpSecurityHeaders</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com</param-value> </init-param> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>blockContentTypeSniffingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>xssProtectionEnabled</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com</param-value> </init-param> </filter> [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors [2]: https://bugs.chromium.org/p/chromium/issues/detail?id=129139 [3]: https://answers.axonivy.com/upfiles/chromeInvalidXFrameOpt.png [4]: https://github.com/ivy-samples/ContentSecurityPolicyFilter [5]: https://github.com/ivy-samples/ContentSecurityPolicyFilter/releases/download/2.0.1-SNAPSHOT/ContentSecurityPolicyFilter-2.0.1-SNAPSHOT.jar [6]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_firefox.png [7]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_chrome.png

By default an Axon.ivy engine will block request that come from an IFRAME of another webserver. This is done with the HttpSecurityHeaderFilter that is configured in the `[designerORengine]/webapps/ivy/WEB-INF/web.xml`. To enable a specific domain to access Axon.ivy content the init parameters of the HttpSecurityHeaderFilter must be adjusted as follows: <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> This will set the HTTP response header `X-Frame-Options: ALLOW-FROM http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com`. **[Enable the content-disposition-policy][1]** Unfortunately the X-FRAME-OPTIONS header is ~~not~~ [not interpreted by ~~Chrome.~~ Chrome][2]. Therefore the access from any Domain is possible when the client uses Chrome. ~~![chromeIgnoreXFrameOpts][2]~~![chromeIgnoreXFrameOpts][3] To restrict it for modern Browsers the HTTP response header `Content-Security-Policy` has to be set as well. This can be achieved with a ~~[ContentSecurityPolicyFilter][3].~~ [ContentSecurityPolicyFilter][4]. Copy the ~~[JAR][4]~~ [JAR][5] with this filter into `[designerORengine]/webapps/ivy/WEB-INF/lib`. Afterwards the filter can be added and configured in the `web.xml`. <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> </filter> **Verify the solution** Try to embedd Axon.ivy in an IFRAME from a not whitelisted domain should end in a clear error in the browser console. And no content should be visible in the frame. In any request fired against the Axon.ivy Engine the response header `Content-Disposition-Policy: frame-ancestors https://myParentDomain.com` should be visible. ~~![cspBlockFirefox][5]![cspBlockChrome][6]~~![cspBlockFirefox][6]![cspBlockChrome][7] Full Web.xml: <filter-mapping> <filter-name>httpSecurityHeaders</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> <filter> <filter-name>httpSecurityHeaders</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com</param-value> </init-param> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>blockContentTypeSniffingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>xssProtectionEnabled</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com</param-value> </init-param> </filter> [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors [2]: https://bugs.chromium.org/p/chromium/issues/detail?id=129139 [3]: https://answers.axonivy.com/upfiles/chromeInvalidXFrameOpt.png ~~[3]:~~ [4]: https://github.com/ivy-samples/ContentSecurityPolicyFilter ~~[4]:~~ [5]: https://github.com/ivy-samples/ContentSecurityPolicyFilter/releases/download/2.0.1-SNAPSHOT/ContentSecurityPolicyFilter-2.0.1-SNAPSHOT.jar ~~[5]:~~ [6]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_firefox.png ~~[6]:~~ [7]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_chrome.png

By default an Axon.ivy engine will block request that come from an IFRAME of another webserver. This is done with the HttpSecurityHeaderFilter that is configured in the `[designerORengine]/webapps/ivy/WEB-INF/web.xml`. To enable a specific domain to access Axon.ivy content the init parameters of the HttpSecurityHeaderFilter must be adjusted as follows: <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> This will set the HTTP response header `X-Frame-Options: ALLOW-FROM http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com`. **[Enable the content-disposition-policy][1]** Unfortunately the X-FRAME-OPTIONS header is not interpreted by Chrome. Therefore the access from any Domain is possible when the client uses Chrome. ![chromeIgnoreXFrameOpts][2] To restrict it for modern Browsers the HTTP response header `Content-Security-Policy` has to be set as well. This can be achieved with a [ContentSecurityPolicyFilter][3]. Copy the [JAR][4] with this filter into `[designerORengine]/webapps/ivy/WEB-INF/lib`. Afterwards the filter can be added and configured in the `web.xml`. <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> </filter> **Verify the solution** Try to embedd Axon.ivy in an IFRAME from a not whitelisted domain should end in a clear error in the browser console. And no content should be visible in the frame. In any request fired against the Axon.ivy Engine the response header `Content-Disposition-Policy: frame-ancestors https://myParentDomain.com` should be visible. ![cspBlockFirefox][5]![cspBlockChrome][6] Full Web.xml: <filter-mapping> <filter-name>httpSecurityHeaders</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> <filter> <filter-name>httpSecurityHeaders</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> ~~<param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com/</param-value>~~<param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com</param-value> </init-param> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>blockContentTypeSniffingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>xssProtectionEnabled</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> ~~<param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com/</param-value>~~<param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com</param-value> </init-param> </filter> [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors [2]: https://answers.axonivy.com/upfiles/chromeInvalidXFrameOpt.png [3]: https://github.com/ivy-samples/ContentSecurityPolicyFilter [4]: https://github.com/ivy-samples/ContentSecurityPolicyFilter/releases/download/2.0.1-SNAPSHOT/ContentSecurityPolicyFilter-2.0.1-SNAPSHOT.jar [5]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_firefox.png [6]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_chrome.png

By default an Axon.ivy engine will block request that come from an IFRAME of another webserver. This is done with the HttpSecurityHeaderFilter that is configured in the `[designerORengine]/webapps/ivy/WEB-INF/web.xml`. To enable a specific domain to access Axon.ivy content the init parameters of the HttpSecurityHeaderFilter must be adjusted as follows: <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> This will set the HTTP response header `X-Frame-Options: ALLOW-FROM http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com`. **[Enable the content-disposition-policy][1]** Unfortunately the X-FRAME-OPTIONS header is not interpreted by Chrome. Therefore the access from any Domain is possible when the client uses Chrome. ![chromeIgnoreXFrameOpts][2] To restrict it for modern Browsers the HTTP response header `Content-Security-Policy` has to be set as well. This can be achieved with a [ContentSecurityPolicyFilter][3]. Copy the [JAR][4] with this filter into `[designerORengine]/webapps/ivy/WEB-INF/lib`. Afterwards the filter can be added and configured in the `web.xml`. <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> </filter> **Verify the solution** Try to embedd Axon.ivy in an IFRAME from a not whitelisted domain should end in a clear error in the browser console. And no content should be visible in the frame. In any request fired against the Axon.ivy Engine the response header `Content-Disposition-Policy: frame-ancestors https://myParentDomain.com` should be visible. ![cspBlockFirefox][5]![cspBlockChrome][6] Full Web.xml: <filter-mapping> <filter-name>httpSecurityHeaders</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> <filter> <filter-name>httpSecurityHeaders</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com/</param-value> </init-param> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>blockContentTypeSniffingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>xssProtectionEnabled</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com/</param-value> </init-param> </filter> [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors [2]: https://answers.axonivy.com/upfiles/chromeInvalidXFrameOpt.png [3]: https://github.com/ivy-samples/ContentSecurityPolicyFilter [4]: https://github.com/ivy-samples/ContentSecurityPolicyFilter/releases/download/2.0.1-SNAPSHOT/ContentSecurityPolicyFilter-2.0.1-SNAPSHOT.jar [5]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_firefox.png [6]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_chrome.png

By default an Axon.ivy engine will block request that come from an IFRAME of another webserver. This is done with the HttpSecurityHeaderFilter that is configured in the `[designerORengine]/webapps/ivy/WEB-INF/web.xml`. To enable a specific domain to access Axon.ivy content the init parameters of the HttpSecurityHeaderFilter must be adjusted as follows: <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> This will set the HTTP response header `X-Frame-Options: ALLOW-FROM http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com`. **[Enable the content-disposition-policy][1]** Unfortunately the X-FRAME-OPTIONS header is not interpreted by Chrome. Therefore the access from any Domain is possible when the client uses Chrome. ![chromeIgnoreXFrameOpts][2] To restrict it for modern Browsers the HTTP response header `Content-Security-Policy` has to be set as well. This can be achieved with a [ContentSecurityPolicyFilter][3]. Copy the ~~JAR~~ [JAR][4] with this filter into `[designerORengine]/webapps/ivy/WEB-INF/lib`. Afterwards the filter can be added and configured in the `web.xml`. <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> </filter> **Verify the solution** Try to embedd Axon.ivy in an IFRAME from a not whitelisted domain should end in a clear error in the browser console. And no content should be visible in the frame. ~~![cspBlockFirefox][4]![cspBlockChrome][5]~~![cspBlockFirefox][5]![cspBlockChrome][6] Full Web.xml: <filter-mapping> <filter-name>httpSecurityHeaders</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> <filter> <filter-name>httpSecurityHeaders</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com/</param-value> </init-param> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>blockContentTypeSniffingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>xssProtectionEnabled</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com/</param-value> </init-param> </filter> [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors [2]: https://answers.axonivy.com/upfiles/chromeInvalidXFrameOpt.png [3]: https://github.com/ivy-samples/ContentSecurityPolicyFilter [4]: https://github.com/ivy-samples/ContentSecurityPolicyFilter/releases/download/2.0.1-SNAPSHOT/ContentSecurityPolicyFilter-2.0.1-SNAPSHOT.jar [5]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_firefox.png ~~[5]:~~ [6]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_chrome.png

By default an Axon.ivy engine will block request that come from an IFRAME of another webserver. This is done with the HttpSecurityHeaderFilter that is configured in the `[designerORengine]/webapps/ivy/WEB-INF/web.xml`. To enable a specific domain to access Axon.ivy content the init parameters of the HttpSecurityHeaderFilter must be adjusted as follows: <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> This will set the HTTP response header `X-Frame-Options: ALLOW-FROM http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com`. **[Enable the content-disposition-policy][1]** Unfortunately the X-FRAME-OPTIONS header is not interpreted by Chrome. Therefore the access from any Domain is possible when the client uses Chrome. ![chromeIgnoreXFrameOpts][2] To restrict it for modern Browsers the HTTP response header `Content-Security-Policy` has to be set as well. This can be achieved with a [ContentSecurityPolicyFilter][3]. Copy the JAR with this filter into `[designerORengine]/webapps/ivy/WEB-INF/lib`. Afterwards the filter can be added and configured in the `web.xml`. <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> </filter> **Verify the solution** Try to embedd Axon.ivy in an IFRAME from a not whitelisted domain should end in a clear error in the browser console. And no content should be visible in the frame. ![cspBlockFirefox][4]![cspBlockChrome][5] Full Web.xml: <filter-mapping> <filter-name>httpSecurityHeaders</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> <filter> <filter-name>httpSecurityHeaders</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com/</param-value> </init-param> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>blockContentTypeSniffingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>xssProtectionEnabled</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myremotedomainthatembeddsaxonivywithaniframe.com/</param-value> </init-param> </filter> [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors [2]: https://answers.axonivy.com/upfiles/chromeInvalidXFrameOpt.png [3]: https://github.com/ivy-samples/ContentSecurityPolicyFilter [4]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_firefox.png [5]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_chrome.png

By default an Axon.ivy engine will block request that come from an IFRAME of another webserver. This is done with the HttpSecurityHeaderFilter that is configured in the `[designerORengine]/webapps/ivy/WEB-INF/web.xml`. To enable a specific domain to access Axon.ivy content the init parameters of the HttpSecurityHeaderFilter must be adjusted as follows: <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> This will set the HTTP response header `X-Frame-Options: ALLOW-FROM http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com`. **[Enable the content-disposition-policy][1]** Unfortunately the X-FRAME-OPTIONS header is not interpreted by Chrome. Therefore the access from any Domain is possible when the client uses Chrome. ![chromeIgnoreXFrameOpts][2] To restrict it for modern Browsers the HTTP response header `Content-Security-Policy` has to be set as ~~well.~~ well. This can be achieved with a ~~[ContentSecurityPolicyFilter][2].~~ [ContentSecurityPolicyFilter][3]. Copy the JAR with this filter into `[designerORengine]/webapps/ivy/WEB-INF/lib`. Afterwards the filter can be added and configured in the `web.xml`. <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> </filter> **Verify the solution** Try to embedd Axon.ivy in an IFRAME from a not whitelisted domain should end in a clear error in the browser console. And no content should be visible in the frame. ~~![cspBlockFirefox][3]![cspBlockChrome][4]~~![cspBlockFirefox][4]![cspBlockChrome][5] [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors [2]: https://answers.axonivy.com/upfiles/chromeInvalidXFrameOpt.png [3]: https://github.com/ivy-samples/ContentSecurityPolicyFilter ~~[3]:~~ [4]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_firefox.png ~~[4]:~~ [5]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_chrome.png

By default an Axon.ivy engine will block request that come from an IFRAME of another webserver. This is done with the HttpSecurityHeaderFilter that is configured in the `[designerORengine]/webapps/ivy/WEB-INF/web.xml`. To enable a specific domain to access Axon.ivy content the init parameters of the HttpSecurityHeaderFilter must be adjusted as follows: <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> This will set the HTTP response header `X-Frame-Options: ALLOW-FROM http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com`. **[Enable the content-disposition-policy][1]** Unfortunately the X-FRAME-OPTIONS header is not interpreted by Chrome. Therefore the access from any Domain is possible when the client uses Chrome. To restrict it for modern Browsers the HTTP response header `Content-Security-Policy` has to be set as well. This can be achieved with a [ContentSecurityPolicyFilter][2]. Copy the JAR with this filter into `[designerORengine]/webapps/ivy/WEB-INF/lib`. Afterwards the filter can be added and configured in the `web.xml`. <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> </filter> **Verify the solution** Try to embedd Axon.ivy in an IFRAME from a not whitelisted domain should end in a clear error in the browser console. And no content should be visible in the frame. ![cspBlockFirefox][3]![cspBlockChrome][4] [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors [2]: ~~https://github.com/ivy-samples/ContentSecurityPolicyFilter~~https://github.com/ivy-samples/ContentSecurityPolicyFilter [3]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_firefox.png [4]: https://answers.axonivy.com/upfiles/blockFrameByContentSecurityPolicy_chrome.png

By default an Axon.ivy engine will block request that come from an IFRAME of another webserver. This is done with the HttpSecurityHeaderFilter that is configured in the ~~`web.xml`.~~ `[designerORengine]/webapps/ivy/WEB-INF/web.xml`. To ~~nable~~ enable a specific domain to access Axon.ivy content the init parameters of the HttpSecurityHeaderFilter must be adjusted as follows: <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> ~~Enable the content-disposition-policy! https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors~~This will set the HTTP response header `X-Frame-Options: ALLOW-FROM http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com`. **[Enable the content-disposition-policy][1]** Unfortunately the X-FRAME-OPTIONS header is not interpreted by Chrome. Therefore the access from any Domain is possible when the client uses Chrome. To restrict it for modern Browsers the HTTP response header `Content-Security-Policy` has to be set as well. This can be achieved with a [ContentSecurityPolicyFilter][2]. Copy the JAR with this filter into `[designerORengine]/webapps/ivy/WEB-INF/lib`. Afterwards the filter can be added and configured in the `web.xml`. <filter-mapping> <filter-name>ContentSecurityPolicyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>ContentSecurityPolicyFilter</filter-name> <filter-class>de.saville.csp.ContentSecurityPolicyFilter</filter-class> <init-param> <param-name>report-only</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>default-src</param-name> <param-value>'self' 'unsafe-inline'</param-value> </init-param> <init-param> <param-name>frame-ancestors</param-name> <param-value>http://myRemoteDomainThatEmbeddsAxonIvyWithAnIFrame.com</param-value> </init-param> </filter> [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors [2]: https://github.com/ivy-samples/ContentSecurityPolicyFilter