Display the Web Portal in an iframe of a website from another domain
By default, the Web Portal uses the HTTP Response Header X-Frame-Options: SAMEORIGIN. This prevents display of the Web Portal in an iframe of a website from another domain and has been implemented for security reasons.
To allow display of the Web Portal in an iframe of a website from another domain in a secure way:
- Browse to the installation folder of the Web Portal (located by default at C:\Program Files (x86)\RES Software\IT Store\Web Portal).
- In the Config folder, locate the WebPortal.config file and open it, for example with Notepad.
- In the file, find the node <application> and remove its attribute allowInFrame="true", if it exists.
- Also in the node <application>:
- Create a new node named <overwriteHttpHeaders>
- Inside that node, add the lines:
- <add name="X-Frame-Options" value="ALLOW-FROM https://mydomain1.com"/></add>
- <add name="Content-Security-Policy" value="script-src 'self' 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self' https://mydomain1.com https://mydomain2.com"/>
- Replace the domains at frame-ancestors with the domain(s) that are allowed to display the Web Portal, but do not delete or change'self'.
- Save your changes.
If you get an 'Access denied' error, start Notepad using Run as administrator, open the file from there and return to step 3.
- Microsoft Internet Explorer does not support the HTTP Response Header Content-Security-Policy. It will use the X-Frame-Options header, which only supports one domain.
- Most other browsers will use the header Content-Security-Policy, which supports multiple domains.