X Frame Options Header Provider (web-XFrameOptionsHeaderProvider)

This component supports the X Frame Options.

Figure 1. X Frame Options Header Provider properties

To access these properties, expand Config > Services > WebService > Http Header Providers and double-click X-Frame-Options.

In addition to the standard property, Enabled, this property supports this component.

Property	Value	Description
X-Frame-Options	drop-down list (defaults to Sameorigin)	Selects the options. Deny prevents the browser from loading the page in a frame. Note: Deny inhibits the display of some typical HTML5 Hx Profile views. Sameorigin allows the browser to embed other pages from within the same station. This is considered a safe practice and is necessary for the correct functioning of the HTML5 Hx Profile. Any may cause a Cross-Frame Scripting (XFS) or click-jacking vulnerability and is not recommended. If an external site needs to embed your station’s web interface, configure a "frame-ancestors" directive under Content-Security-Policy.

Property

Value

Description

X-Frame-Options

drop-down list (defaults to Sameorigin)

Selects the options.

Deny prevents the browser from loading the page in a frame.

Note: Deny inhibits the display of some typical HTML5 Hx Profile views.

Sameorigin allows the browser to embed other pages from within the same station. This is considered a safe practice and is necessary for the correct functioning of the HTML5 Hx Profile.

Any may cause a Cross-Frame Scripting (XFS) or click-jacking vulnerability and is not recommended. If an external site needs to embed your station’s web interface, configure a "frame-ancestors" directive under Content-Security-Policy.