OUAF Removes Embedded IFrame Blocking and Allows X-Frame-Options For ORS / Siebel Integration (Doc ID 1945179.1)

Last updated on AUGUST 15, 2022

Applies to:

Symptoms

As a standard method of defending against clickjacking attacks, Oracle Utilities Application Framework (OUAF) based applications are blocked from running within another iframe. There are no options for this.

Some customers with an integrated OUAF application may with to do this.  For example, running Oracle Realtime Scheduler (ORS) alongside Siebel inside a firewall and embed ORS within a Siebel Iframe. This can be done with IE7 but does not not work for later versions of IE due to security.

When tried, users recieve the error message:

~~~~~~~~~~~~~~~~~~~~~~~~~~
This content cannot be displayed in a frame

To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame.
What you can try: Open this content in a new window
~~~~~~~~~~~~~~~~~~~~~~~~~~

Troubleshooting
=============
From Fiddler traces, we notice that Oracle Scheduler is sending “X-FRAME-OPTIONS: SAMEORIGIN” header.
If we remove the HTTP Header, “X-FRAME-OPTIONS”, we can load Oracle Scheduler within IFrame in Siebel web application successfully.

ORS that is trying to display in the IFRAME seems to be returning X-Frame-Options: Deny in the HTTP Header and this is resulting in the error message.
There are no IE settings that will disable this functionality as it is hard coded in the IE browser (at least version 8 and above).  This is a "Clickjacking Defense" created by Microsoft to prevent embedding malicious code or "redressing" the user interface by using transparent frames that overlay specific UI elements with misleading text and images.

Changes

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.