Enterprise Client Community

(mail copied into this forum - to the author: this is a great forum question, would be great to follow up communication here...!)

I have a question about the PDF renderer. Recently we can no longer display PDFs because “X-Frame Options” is set to “deny”.

I then updated our software to release 20220314.

So that we can theoretically display CaptainCasa Page in an IFrame set embedableasiframe="true" in the server.xml.

But how can I allow this for the PDFRenderer? The PDF is displayed in an IFRAME.

In the ChangeLogs I saw that you could overwrite the DefaultBufferedStreamContent class and adjust the header in the preProcessResponse method.

Is there another solution? And if not, how would I overwrite it so that the overwritten class is used?

...goood question! ;-)

By default pages rendered by DefaultBufferedContent are returned with "sameorigin" as "x-frame-options" header parameter.

In your constellation I believe there is...
Code:

 Some outer page with IFRAME
     in which a .risc page is opened
         in which a PDF pages is created with DefaultBufferedContent

If your x-frame-otions are now set in the following way...
Code:

 (outest)
     "true" by system.xml
         "sameorigin" by DefaultBufferedContent

...then the PDF page will not be shown.

Currently the only way to overcome to override the following method within your DefaultBufferedContent extension...
Code:

     /**
      * In the default implementation the header parameter "x-frame-options" is set
      * to "sameorigin" so that the buffered content is not embed-able into pages
      * coming from some different host. You may override this behavior.
      */
     public void preProcessResponse(HttpServletResponse response)
     {
         ServletUtil.setResponseHeader(response,"x-frame-options","sameorigin");
     }

and set/not set the parameter properly. (In case you want to net set things at all you just override by:
Code:

     public void preProcessResponse(HttpServletResponse response)
     {
         // do nothing!
     }

This smells like some area of improvement.
In one of our next updates we can provide a configuration for the default that is curerently coded to "sameorigin".

Kind regards! Björn

PS: for other readers the security guide https://www.captaincasa.com/docu/eclnt_risc_securityguide/ contains all information "around"...

For next update we added:

1. embedded pages inside CaptainCasa do not come with default "sameorigin" for "x-frame-options" - but with no seteting of this parameters (so they can be embedded in any scenario)

2. By system.xml you can explicitly override this. There are three catergories:
a. internal bridge pages (e.g. to chart.js, quill-editor, OSM, ...)
b. BufferedContent pages
c. TempFile pages
So if you (or some auditor) explicitly wants to see certain parameters then you can do so.

So the problem you raised should not occur anymore - while keeping the explicit configure-ability.

Kind regards! Björn