IFramePolicy
into the alfresco-security-config.xml file. This is a config section that describes which pages that Alfresco Share should allow to be '(i)framed', in other words be included inside Alfresco Share within an iframe. It is available in Alfresco Enterprise 4.1.4 and also for Community on HEAD.share-security-config.xml
.<config evaluator='string-compare' condition='IFramePolicy'>
<!--
Local Share pages/resources are governed by the same-domain element which
can be set to 'allow' or 'deny'
-->
<same-domain>allow</same-domain>
<!--
Add a list of <url> elements inside this element to form a whitelist of
allowed domains. The check will assert that the url used for the <iframe>
starts with the value of one of the <url> elements.
-->
<cross-domain>
<!--
Allow all domains by default, it is recommended to override this
setting and instead keep a whitelist of the domains that you trust to be
included on Share pages.
-->
<url>*</url>
</cross-domain>
</config>
IFramePolicy
config. It is very simple and all you need to do is to add the following code snipped to your code:if (Alfresco.util.IFramePolicy &&
!Alfresco.util.IFramePolicy.isUrlAllowed(iFrameSrcUrl))
{
// TODO: Display error message saying the IFramePolicy doesn't allow this url
}
else
{
// TODO: Display the iframe just like you did before
}
IFramePolicy
is there, we do this to make sure our code will continue to work in older Alfresco Share versions that don't have an IFramePolicy
. Then we check if the url that we are about to display is trusted by the IFramePolicy
config. If it isn't we display a friendly error message telling the user how to proceed.share-config-custom.xml
file:<config evaluator='string-compare' condition='IFramePolicy' replace='true'>
<cross-domain>
<url>http://www.trusted-domain-1.com/</url>
<url>http://www.trusted-domain-2.com/</url>
</cross-domain>
</config>
IFramePolicy
's <cross-domain>
element to not include the default <url>*</url>
but instead multiple <url>
element each specifying the urls to trust.<url>
element like below:<url>http://www.partly-trusted-domain.com/but/only/urls/from/here</url>
http://www.my-proxy-server.com.evil-server.se/phishing-attack.html
obviously starts with http://www.my-proxy-server.com
but not http://www.my-proxy-server.com/
.You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.