Question:
Why is the Web Client not displayed in an iframe?
The Web Client is a software solution that allows you to manage, edit and share documents. You can install the Web Client on your own server and access it via a browser. You can also embed the Web Client in an iFrame to integrate it into another website. An iFrame is an HTML element that allows you to insert another web page into a web page.
However, the web client may not be displayed in an iFrame,if the address of the iFrame is different from that of the web client. This is due to the security guidelines of the browser you are using. Many browser manufacturers have tightened the security guidelines of their browsers to prevent cross-site attacks. Cross-site attacks are attacks in which an attacker attempts to steal or manipulate data from another website by embedding an iFrame or script into a website.
To prevent such attacks, many browsers use the so-called Same-Origin Policy. This policy states that an iFrame may only load content from the same source as the website that contains the iFrame. The source is determined by the combination of Protocol, Host and Port are determined. If one of these components is different, the source is considered different and the iFrame is blocked.
This means that if you call up the Web Client with an address that is different from the page of your iFrame, the Web Client will not be displayed in it. For example, if you call up the Web Client with the address https://iframe.example.com but the iFrame displays the address http://iframe.example.com the iFrame is blocked because the protocol ( https vs. http ) is different, or if you use the address http://webclient.example.com because the host ( webclient vs. iframe ) is different.
Answer:
To solve this problem, you must ensure that the address of the web client and the address of the iFrame have the same source, i.e. that they use the same protocol, the same host and the same port. Alternatively, you can try using a different browser that uses a less strict same-origin policy or adjust the security settings of your browser to allow iFrames from other sources. However, you should be aware that this poses a security risk as it can make you more vulnerable to cross-site attacks.
Another way to circumvent the same-origin policy is to use CORS or proxy servers. CORS stands for Cross-Origin Resource Sharing and is a mechanism that allows web servers to determine which other sources are allowed to access their resources. CORS uses HTTP headers to control communication between different sources. If you want to use CORS, you must configure the appropriate headers on the server hosting the web client. You must also ensure that the browser you are using supports CORS.
A proxy server is a server that acts as an intermediary between your browser and the web client. It receives your request and forwards it to the web client as if it came from the same source. In this way, you can bypass the same-origin policy by using the proxy server as an intermediary. However, you must find or set up a proxy server that forwards your requests to the web client.
Setting up CORS or proxy server is a technical matter that must be done by your own server administrator or IT service provider. DocuWare is not responsible for the configuration or operation of your server or network. DocuWare only offers you the Web Client as a software solution that you can install and use on your server.
Further information:
"Working with Same-Origin Policy Restrictions" - https://www.codecentric.de/wissens-hub/blog/working-origin-policy-restrictions
"Enabling cross-origin requirements (CORS) in ASP.NET Core" - https://learn.microsoft.com/de-de/aspnet/core/security/cors?view=aspnetcore-8.0
The following information serves as an ad hoc workaround if you are currently installing a customer system and are running into a cross-domain scenario. Before the customer system goes live, the cross-domain topic described above must have been implemented elsewhere!
The Web Client has been delivered with increased security settings since DocuWare 6.5.
I.e. if the Web Client is integrated in an iFrame of a page that contains not the same domain or address ( cross domain ), this is denied by default.
To deactivate this security mechanism, the following setting must be made ( also after every minor or major update ):
- Save the file "C:\Program Files\DocuWare\Web\Platform\Web.config"
or older versions "C:\Program Files (x86)\DocuWare\Web\Platform\Web.config" - Open the file "Web.config"
- Look for the following entry:
<location path="WebClient">
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>
</location> - Remove this entry or comment it out (as in this example):
<!-- <location path="WebClient">
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>
</location> --> - Save your changes
- Restarting a component is not necessary!
If you are using DocuWare 6.5, you must also install Hotfix 21:
https://dwsupport.blob.core.windows.net/supportdownloads/hotfixes/6.5/DW6.5_Hot21.zip
Therefore recommend the SAMEORIGIN option to keep and to run both applications (in which DocuWare is embedded as an iFrame and DocuWare itself) on the same server.
Therefore, the following applies from DocuWare 7.4: HTTP for the use of DocuWare within an iframe is not supported (except for Firefox or if the iframe domain is identical to the browser domain).
See technical changes in DocuWare 7.4