Display the Web Portal in an iframe of a website from another domain

By default, the Web Portal uses the HTTP Response Header X-Frame-Options: SAMEORIGIN. This prevents display of the Web Portal in an iframe of a website from another domain and has been implemented for security reasons.

To allow display of the Web Portal in an iframe of a website from another domain in a secure way:

  1. Browse to the installation folder of the Web Portal (located by default at C:\Program Files (x86)\RES Software\IT Store\Web Portal).
  2. In the Config folder, locate the WebPortal.config file and open it, for example with Notepad.
  3. In the file, find the node <application> and remove its attribute allowInFrame="true", if it exists.
  4.  Also in the node <application>:
    • Create a new node named <overwriteHttpHeaders>
    • Inside that node, add the lines:
      • <add name="X-Frame-Options" value="ALLOW-FROM https://mydomain1.com"/></add>
      • <add name="Content-Security-Policy" value="script-src 'self' 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self' https://mydomain1.com https://mydomain2.com"/>
    • Replace the domains at frame-ancestors with the domain(s) that are allowed to display the Web Portal, but do not delete or change'self'.
  5. Save your changes.
    If you get an 'Access denied' error, start Notepad using Run as administrator, open the file from there and return to step 3.
  • Microsoft Internet Explorer does not support the HTTP Response Header Content-Security-Policy. It will use the X-Frame-Options header, which only supports one domain.
  • Most other browsers will use the header Content-Security-Policy, which supports multiple domains.