...goood question! ;-)
By default pages rendered by DefaultBufferedContent are returned with "sameorigin" as "x-frame-options" header parameter.
In your constellation I believe there is...
Code:
Some outer page with IFRAME
in which a .risc page is opened
in which a PDF pages is created with DefaultBufferedContent
If your x-frame-otions are now set in the following way...
Code:
(outest)
"true" by system.xml
"sameorigin" by DefaultBufferedContent
...then the PDF page will not be shown.
Currently the only way to overcome to override the following method within your DefaultBufferedContent extension...
Code:
/**
* In the default implementation the header parameter "x-frame-options" is set
* to "sameorigin" so that the buffered content is not embed-able into pages
* coming from some different host. You may override this behavior.
*/
public void preProcessResponse(HttpServletResponse response)
{
ServletUtil.setResponseHeader(response,"x-frame-options","sameorigin");
}
and set/not set the parameter properly. (In case you want to net set things at all you just override by:
Code:
public void preProcessResponse(HttpServletResponse response)
{
// do nothing!
}
This smells like some area of improvement.
In one of our next updates we can provide a configuration for the default that is curerently coded to "sameorigin".
Kind regards! Björn
PS: for other readers the security guide https://www.captaincasa.com/docu/eclnt_risc_securityguide/ contains all information "around"...