3

I am working on a case management system which requires a series of client checks to be performed. On the current system the user is required to visit the external site, take a screen shot of the the relevant information, return to the system and attach this screen shot to the client file. The aim is to make this process much more efficient.

The boss wanted to use iframes to display the necessary check websites on our site. The problem is a few of these external websites have the X-Frame options set to deny. Any workarounds I have seen seem open to patches and perhaps not even legal. I am looking for a secure, above board solution to this problem. This includes a paid solution.

I will contact the necessary companies to see if we can in some way pay to have the iframe block lifted for us, but some of these are major government bodies so I am not overly confident. So basically I am looking for any other ideas in how to go about this?

niutech
  • 28,923
  • 15
  • 96
  • 106
user7435243
  • 41
  • 1
  • 5
  • Well if this could easily be circumvented by you using HTML and/or JavaScript, the header would be completely pointless. There’s probably browser extensions to circumvent/ignore it (but that would of course require installation in every single client browser used.) – CBroe Jan 18 '17 at 11:21
  • 1
    The installation on every browser would be fine. And I currently have an extension working okay. My only concern would be implementing the system based on this extension, only for the extension to be removed or for a patch to render the extension useless. Am I right for thinking like this? Apologies, only second week on the job. – user7435243 Jan 18 '17 at 11:41
  • Browser extensions circumventing this are probably in most cases rather intended for use by developers, and not as an end user “solution” to such a problem. But I don’t see any reason why they should be stopped/discontinued suddenly. – CBroe Jan 18 '17 at 12:06
  • No problem thanks. Have you any idea if extensions like this legal? As in if a developer does not want their site to be iframed, is it illegal to then use an extension to iframe it? Hard to find much info on it. – user7435243 Jan 18 '17 at 12:18
  • 2
    Nah, I wouldn’t say “illegal”. (You might as well be using an old browser that has not implemented this yet and therefor just ignores the X-Frame-Options header, so it would display such sites in frames anyway - that should not make you a “criminal”, right?) As long as you are doing this for a limited user base in a more or less closed system, and not on a public website, I don’t think this is a problem. – CBroe Jan 18 '17 at 12:43

2 Answers2

1

You can bypass X-Frame-Options header by using my X-Frame-Bypass Web Component. It extends the <iframe> element by using the CORS proxy and works in the latest Firefox and Chrome browser.

niutech
  • 28,923
  • 15
  • 96
  • 106
  • This solution works great (at least in Chrome). Just a caveat, it doesn't work for me if I try to integrate with a Vue app (and one issue filed in the Github repo says it doesn't work with Angular, but throws a different error than what I saw) – ultrageek Aug 26 '20 at 00:30
-1

Since your boss needs to bypass X-Frame-Options header on his machine only, you can try some browser extension to remove the header.

Please note that this is not the only caveat to open the websites inside iframes. This is hell lot of challenging to open all sorts of websites inside iframe.

Since you asked to bypass X-Frame-Option header, Install a chrome/firefox extension like

And setup rule to remove this header. Please read this article: Bypass Iframe Busting Header using extension

Sachin Jain
  • 21,353
  • 33
  • 103
  • 168