Does anyone know how to get Acumatica screens to be embedded in an iFrame in a wordpress site? When embedding an Acumatica screen in wordpress - I see the login screen however - after successful login I receive a refused to connect error.
I tried modifying the X-Frame in the web.config file - however still no difference after login. Does anyone know what changes need to be made on the Acumatica site to allow this? Or is it possibly a change that needs to happen in wordpress?
I realize that we should look at integrating the SSO but conceptually would think that the iFrames would work with or without SSO being setup yet or am I wrong in that assumption?
the answer provided by Hugues is very valid, but in the scope of Same Site Cookies.
With iFrame you would generally get following exception:
The loading of “https://yoursite.acumatica.com/Main?HideScript=On” in a frame is denied by “X-Frame-Options“ directive set to “SAMEORIGIN“.
For a while solution was to add an explicit header X-Frame-Options and in ALLOW-FROM specify an uri to the site you would like to allow to open Acumatica in iFrame, this however is now outdated: X-Frame-Options
Currently suggested way would be to use frame-ancestors directive of the Content-Security-Policy (frame-ancestors)
For applications that run on IIS, like Acumatica, it is done by finding in web.config
<httpProtocol>
<customHeaders>
...
And modify and add to this clause line like following example:
<add name="Content-Security-Policy" value="frame-ancestors 'self' https://my.site1.com *.site2.net http://localhost:82" />
This is just a syntax example that will allow the Acumatica to be open in iFrame on same domain, on my.site1.com, wildcard for all subdomains on site2.net and on even on the site deployed locally on the server that listens 82 port. Please use last one (http://localhost:82) only for testing purposes.
So the end result in your web.config should look similar to that block (based on SalesDemo deployment):
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="Content-Security-Policy" value="frame-ancestors 'self' https://yourWordPressUri" />
</customHeaders>
</httpProtocol>
Hope this is helping
I believe you are running into a same-site cookie policy error. If the issue was cross site scripting error you wouldn't see the login page.
Same site cookie policy can be disabled in the web config file:
https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite#using-samesite-in-aspnet-472-and-48
Change the web.config file settings as follows:
Step 1: Open the web.config file, which is located in the application instance folder.
Step 2: Find the <system.web> section and add the following line to this section:
Note! The first occurrence of <system.web> located in the < location > tag is not the needed section.
Step 3: Add the text highlighted in bold to the following lines:
<formsAuth loginUrl="Frames/Login.aspx" timeout="60" requireSSL="true" />
<sessionState cookieSameSite="None" cookieless="UseCookies" mode="Custom" customProvider="PXSessionStateStore" timeout="60" sessionIDManagerType="PX.Owin.SessionIdManager, PX.Owin">
Related
I have a MVC site that I want to load into Iframe. I have added the X-Frame-Options to AllowAll. When I try to load the site, I can see the html document in developer tools but the IFrame in the Page is blank.
I tried to create a web application on localohost with different port number and where I tried to load the MVC site in Iframe, it didnt work.
I tried to add a html in the same MVC site and loading itself in the html's Iframe (assuming port issue but still it will not load).
Any help will be appreciated.
I recently ran into a similar issue. The X-Frame-Options header did not work for me. I had to use the Content-Security-Policy header. In the web.config file, I set it to frame-src https://my-domain.com like this:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-src {your domain here}" />
</customHeaders>
</httpProtocol>
</system.webServer>
I´m using Plesk and in Web scripting and statistics I have Microsoft ASP support in ON.
I uploaded a application (which works correctly in my PC) to a directory and it can be shown but when I go to the aspx file it shows me the 404 error (The path is the correct).
I noticed that some files in "shtml" extension are neither shown by the server.
This is my very first time with ASP.NET, ISS8 and Plesk. I don´t know what to do. I will thank you for your help
You have to set the HTTP Handler Extension. If you have no access to IIS directly, you could do on the web.config:
Open the Web.config file for the application, locate the httpHandlers element of the system.web section and add an entry for the file-name extension
Example:
<system.webServer>
<handlers>
<add name="SampleHandler" verb="*"
path="SampleHandler.new"
type="SampleHandler, SampleHandlerAssembly"
resourceType="Unspecified" />
</handlers>
</system.webServer>
For more configuration options please refer to:
https://msdn.microsoft.com/en-us/library/bb515343.aspx
and
https://msdn.microsoft.com/en-us/library/46c5ddfy(v=vs.100).aspx
Check also the Custom Handler Policy of Plesk that should not be enabled:
https://docs.plesk.com/en-US/onyx/administrator-guide/plesk-administration/securing-plesk/custom-handlers-policy.76787/
Here I've found also another interesting document:
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/handlers/
Scroll down and you'll find a piece of code to add the handlers programmatically, even if I suggest you to add them in your web.config
I'm well aware of how I could set it myself, but I am concerned about having it configured in two different places. To receive the bounty, please tell me where I should look to find the existing setting.
Places we've already looked for the existing setting, without success:
the web.config <StaticContent> section
IIS output caching section, at all three levels:
machine
site
application
Code (I did a global search for SetMaxAge)
Context
We recently noticed that our CSS and JS files aren't getting refreshed. When I inspect the network traffic, they are coming back from the server with a header (Cache-Control: max-age=604800) that gives them a seven-day lifespan.
We need to reduce the cache lifetime. But for the life of me I can't find where it is set.
It is not set in the web.config <StaticContent> section.
It is not set in the IIS output caching section (I looked under the machine, the site, and the application-- they are all blank).
It is not set in code-- I did a global code search for SetMaxAge and got nuthin'.
Where else can I look?
Is it possible it is being set by the gateway or load balancer in our data center?
You can do like this in web config, or you can use IIS ui to change (see link below):
<configuration>
<system.webServer>
<staticContent>
<clientCache cacheControlMode="UseMaxAge"
cacheControlMaxAge="1.00:00:00" /> <!-- 1 day -->
</staticContent>
</system.webServer>
</configuration>
See more here: https://www.iis.net/configreference/system.webserver/staticcontent/clientcache
IIS documentation states that the default value is 1 day.
Here are some other ways what could have affect these settings:
http://www.galcho.com/blog/post/2008/02/27/IIS7-How-to-set-cache-control-for-static-content.aspx
overrideModeDefault value in applicationHost.config
earlier appcmd.exe settings
or client setting can also override your values.
If others tries to iframe my site they get error "Refused to display in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'
". Do they have to change something, or I, or both?
I found there are options for X-Frame-Options :SAMEORIGIN,DENY,and allow only one site. Configuration :IIS8, ASP.NET MVC. Are there any global settings to allow others to iframe my site?
In your golbal.asax.cs set X-Frame-Options to AllowAll:
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Remove("X-Frame-Options");
Response.AddHeader("X-Frame-Options", "AllowAll");
}
Since your website is the frame target, you would make all the changes to your website. As you will see below, this is quite simple.
Option 1 - Modify your web application's web.config file
Remove the X-Frame-Options custom header
Before:
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="AllowAll" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
After
<system.webServer>
...
<httpProtocol>
<customHeaders/>
</httpProtocol>
...
</system.webServer>
Option 2 - Log onto the web server and access IIS Manager
Open Internet Information Services (IIS) Manager.
In the Connections pane on the left side, expand the Sites folder
and select the site that you want to protect.
Double-click the HTTP Response Headers icon in the feature list in
the middle.
Select X-Frame-Options from the list
In the Actions pane on the right side, click Remove.
Click OK to save your changes.
I have a customer of ours that sent out a publication referring to my site but they used the wrong address...they did not provide a page name...it looks like this:
mywebsite.org/Resources/toolkits/bridging
when it should have been
mywebsite.org/Resources/toolkits/bridging/default.aspx
Is there a way to tell ASP.NET to default to this default.aspx when it sees this kind of request or even better, have IIS 7 handle this easily?
This site is live so I would like to avoid having to introduce code if possible.
As per other suggestions, this should be done in the IIS configuration for your website using the IIS Admin tool.
There is however, another alternative - you can add a section in the web.config of your actual ASP.NET application, allowing you to override the IIS configuration right from your application:
<system.webServer>
<defaultDocument>
<files>
<clear />
<!-- Specify each of your files by order of preference here -->
<add value="Default.aspx" />
<add value="Index.aspx" />
<add value="MyOtherPage.aspx" />
</files>
</defaultDocument>
</system.webServer>
The caveat to this though is it may be a little obtuse when the IIS administrator can't figure out why the server configuration isn't working the way he's got it configured. It's not always right to do something just because you can.
Finally, just in case you don't have access to the IIS server or your IIS administrator has reasons for not adding Default.aspx to the default document list in the IIS configuration and for whatever reason, you don't wish to override the IIS configuration in your web.config file, then the quickest and simplest way is to simply create a file called default.asp in that directory containing:
<% Response.Redirect("default.aspx") %>
Default.asp is in the default document list on IIS. The code will automatically redirect the call to the correct page. The downside to this approach though is that there's a performance hit - every time someone calls default.asp - directly or otherwise, the redirect needs to happen which isn't free.
In the Documents tab of the web site properties in IIS you can specify default documents. If you are using .Net2.0 or later on that machine then Default.aspx should already be set....
Default.aspx is not, oddly enough, set as the default document in an IIS installation; In IIS 7, the setting is under "HTTP Features", called "Default Document". Add default.aspx to that list and you should be OK.
If not, you'll need to add a 404 handler that redirects when it sees that URL.