cancel
Showing results for 
Search instead for 
Did you mean: 

Loading activi-app in an iFrame

mikeblum
Champ in-the-making
Champ in-the-making
I'm attempting to load the activiti-app into an iframe from Box.com but get blocked with the following exception:

Refused to display 'https://localhost/activiti-app/workflow/#/tasks?taskId=100011' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

Configuring the CORS filter on the tomcat instance in tomcat/conf/web.xml:

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

but I'm still getting denied. Do I need to configure something in the activiti-app.properties to enabvle loading into an iframe?

Thanks,
Mike

4 REPLIES 4

jbarrez
Star Contributor
Star Contributor
yes, the current (1.2.2) version does indeed have Sameorigin, meaning that you would have to use a proxy server such that everything is running on the same domain.

The cors filter is probably not going to help, cause it's being set in the Spring SecurityConfiguration.

To solve the issue, we'd probably have to allow for configuration of the X-Frame options, but we've had some security issues with that before … which is why we set it to sameorigin.

mikeblum
Champ in-the-making
Champ in-the-making
That makes sense. I tried adding a proxy to my Apache http server:

        ProxyPass /activiti-app http://localhost:8080/activiti-app
        ProxyPassReverse /activiti-app http://localhost:8080/activiti-app

But I'm still getting a SAMEORIGIN error. Is proxyPass not going to work?

vasile_dirla
Star Contributor
Star Contributor
it seems the iframe source want to load the "https://localhost/activiti-app/"  make sure you configure the proxy pass with SSL

you have to load: mod_proxy, mod_ssl and mod_proxy_http and then define the ProxyPass
<blockcode>
<VirtualHost *:443>
    SSLEngine On
    SSLProxyEngine On
    ProxyRequests Off
    SSLCertificateFile /etc/httpd/certs/yourCertificate.crt
    SSLCertificateKeyFile /etc/httpd/certs/yourKey.key
    ProxyPass /activiti-app http://localhost:8080/activiti-app
    ProxyPassReverse /activiti-app http://localhost:8080/activiti-app
</VirtualHost>
</blockcode>

Maybe you already did that but this is the first thing I have in mind considering the problem.

mikeblum
Champ in-the-making
Champ in-the-making
Thanks. That's exactly what we ended up doing with an apache2 proxy.