No announcement yet.
  • Filter
  • Time
Clear All
new posts

    X-Frame-Options Permission Denied When DynamicForm has a "file" field

    We have the X-Frame-Options set to deny for security reasons.
    We have a DynamicForm that works fine for posting data to the server until we add a field with type="file".
    This then seems to try and open an IFrame which obviously is not going to work given our security setting.

    I have done an extensive web search and read many posts on the subject but nobody seems to have found a solution to this issue.
    I am wondering if there is something I have not stumbled on in the documentation to use a more "current" mechanism than the old school method of an iframe (Dynamicform.setTarget() does not work since we are using DataBound Component Methods.).

    If anyone can point me in the right direction it would be appreciated.

    We would recommend simply turning off this X-Frame-Options setting. It is, at best, a defense-in-depth measure that would make a difference only if multiple other more basic security measures failed, and primarily applies to coding errors make when using DOM-level programming, not when using components (as with SmartClient).

    Other options:

    1. isolate the page where you need to do file upload, and have only that page turn of the X-Frame-Options setting

    2. do the file upload yourself in JavaScript. You don't get the simplicity we offer where a binary field can be treated like any other field, but it's not that hard

    3. use the Feature Sponsorship program to have an upload mechanism compatible with your desired X-Frame-Options setting added to the framework. Note that Feature Sponsorships can be supported against existing versions using patch files


      Thanks for the advice - we have already gone with option 2.