No announcement yet.
  • Filter
  • Time
Clear All
new posts

    Secure SSL websites don't load in HTMLPane's

    We recently converted a bunch of company internal web sites to secure https sites. This broke code that showed them in HTMLPanes. How do we deal with SSL in this case?
                               // show embedded confluence page
                                HTMLPane confluencePane = new HTMLPane();
                                // ???? Secure (https) pages do not load, but regular old http pages still do.

    What specific problem are you seeing? Mixed content warnings, failure to load, something else?

    Note that contentsType:"page" is simply an <iframe>. So anything that affects the general use of <iframe> applies here. For example, if the outer page is http but the iframe is https, that won't be allowed.

    X-Frame-Option may also have been set (at the same time as rollover to https) which may separately prevent embedding.

    Note that you can use any DOM inspector to look at the <iframe> we are generating. Also, if you find any setting that you need to change on the iframe, you can just use an HTMLFlow with contentsType:"fragment" and use an iframe of your own, to experiment. However, if you find that you need to generate an <iframe> tag that we can't currently generate with contentsType:"page", we would love to know.

    If you end up stuck (no way to generate a valid <iframe>, regardless of SmartGWT's involvement) consider:

    1. HttpProxy to download the content on the server side


    2. REST or other APIs to retrieve the content (supported by Confluence, for one)


      The genrated iframe is:
      <iframe id="isc_UN" scrolling="auto" width="1287" height="762" frameborder="0" src="" style="height: 762px;"></iframe>

      DOM Error: Refused to display '' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

      If I understand my cryptic google search finds, the sameorigin thing is set by the web site I'm trying to get to load in the iframe. The DOM error is the browser enforcing it. It appears that I have no further control over this. Let me know if I'm missing something.

      My work around is to open the page in a new tab. That works and is good enough for our users.

      Thanks for getting me pointed in the right direction.



        Ah. Yes, so it wasn’t strictly the https switchover, it was the X-Frame-Options.

        We’re glad opening as a new tab works, and these days, with all the ways in which content is being scraped or repurposed for nefarious reasons, that may be the best approach for your application.

        However, if the content needs to be seamlessly inlined, consider our numbered suggestions above.