OUFW Removes Embedded IFrame Blocking and Allows X-Frame-Options For ORS / Siebel Integration
(Doc ID 1945179.1)
Last updated on APRIL 24, 2018
Applies to:Oracle Real-Time Scheduler - Version 2.2.0 and later
Siebel CRM Integration to Oracle Realtime Scheduler - Version 22.214.171.124 SIA  and later
Oracle Utilities Framework - Version 126.96.36.199.0 and later
Information in this document applies to any platform.
As a standard method of defending against clickjacking attacks, OUFW based applications are blocked from running within another iframe. There are no options for this.
Some customers with an integrated OUFW application may with to do this. For example, running Oracle Realtime Scheduler (ORS) alongside Siebel inside a firewall and embed ORS within a Siebel Iframe. This can be done with IE7 but does not not work for later versions of IE due to security.
When tried, users recieve the error message:
This content cannot be displayed in a frame
To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame.
What you can try: Open this content in a new window
From Fiddler traces, we notice that Oracle Scheduler is sending “X-FRAME-OPTIONS: SAMEORIGIN” header.
If we remove the HTTP Header, “X-FRAME-OPTIONS”, we can load Oracle Scheduler within IFrame in Siebel web application successfully.
ORS that is trying to display in the IFRAME seems to be returning X-Frame-Options: Deny in the HTTP Header and this is resulting in the error message.
There are no IE settings that will disable this functionality as it is hard coded in the IE browser (at least version 8 and above). This is a "Clickjacking Defense" created by Microsoft to prevent embeding malicious code or "redressing" the user interface by using transparent frames that overlay specific UI elements with misleading text and images.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!