Why is the Web Client not displayed in an iframe?

Question:
Why is the Web Client not displayed in an iframe?
The Web Client is a software solution that allows you to manage, edit and share documents. You can install the Web Client on your own server and access it via a browser. You can also embed the Web Client in an iFrame to integrate it into another website. An iFrame is an HTML element that allows you to insert another web page into a web page.
However, the web client may not be displayed in an iFrame,if the address of the iFrame is different from that of the web client. This is due to the security guidelines of the browser you are using. Many browser manufacturers have tightened the security guidelines of their browsers to prevent cross-site attacks. Cross-site attacks are attacks in which an attacker attempts to steal or manipulate data from another website by embedding an iFrame or script into a website.
To prevent such attacks, many browsers use the so-called  Same-Origin Policy. This policy states that an iFrame may only load content from the same source as the website that contains the iFrame. The source is determined by the combination of  Protocol,  Host  and  Port  are determined. If one of these components is different, the source is considered  different  and the iFrame is blocked.

This means that if you call up the Web Client with an address that is different from the page of your iFrame, the Web Client will not be displayed in it. For example, if you call up the Web Client with the address  https://iframe.example.com  but the iFrame displays the address  http://iframe.example.com  the iFrame is blocked because the protocol ( https  vs.  http ) is different, or if you use the address http://webclient.example.com because the host ( webclient vs. iframe ) is different.

Answer:
To solve this problem, you must ensure that the address of the web client and the address of the iFrame have the same source, i.e. that they use the same protocol, the same host and the same port. Alternatively, you can try using a different browser that uses a less strict same-origin policy or adjust the security settings of your browser to allow iFrames from other sources. However, you should be aware that this poses a security risk as it can make you more vulnerable to cross-site attacks.
Another way to circumvent the same-origin policy is to use CORS or proxy servers. CORS stands for  Cross-Origin Resource Sharing  and is a mechanism that allows web servers to determine which other sources are allowed to access their resources. CORS uses HTTP headers to control communication between different sources. If you want to use CORS, you must configure the appropriate headers on the server hosting the web client. You must also ensure that the browser you are using supports CORS.
A proxy server is a server that acts as an intermediary between your browser and the web client. It receives your request and forwards it to the web client as if it came from the same source. In this way, you can bypass the same-origin policy by using the proxy server as an intermediary. However, you must find or set up a proxy server that forwards your requests to the web client.

Setting up CORS or proxy server is a technical matter that must be done by your own server administrator or IT service provider. DocuWare is not responsible for the configuration or operation of your server or network. DocuWare only offers you the Web Client as a software solution that you can install and use on your server.

Further information:
"Working with Same-Origin Policy Restrictions" - https://www.codecentric.de/wissens-hub/blog/working-origin-policy-restrictions
"Enabling cross-origin requirements (CORS) in ASP.NET Core" - https://learn.microsoft.com/de-de/aspnet/core/security/cors?view=aspnetcore-8.0

The following information serves as an ad hoc workaround if you are currently installing a customer system and are running into a cross-domain scenario. Before the customer system goes live, the cross-domain topic described above must have been implemented elsewhere!

The Web Client has been delivered with increased security settings since DocuWare 6.5.
I.e. if the Web Client is integrated in an iFrame of a page that contains not the same domain or address ( cross domain ), this is denied by default.
To deactivate this security mechanism, the following setting must be made ( also after every minor or major update ):

• Save the file "C:\Program Files\DocuWare\Web\Platform\Web.config"
  or older versions "C:\Program Files (x86)\DocuWare\Web\Platform\Web.config"
• Open the file "Web.config"
• Look for the following entry:
  <location path="WebClient">
    <system.webServer>
    <httpProtocol>
     <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
      </customHeaders>
    </httpProtocol>
    </system.webServer>
  </location>
• Remove this entry or comment it out (as in this example):
  <!-- <location path="WebClient">
    <system.webServer>
    <httpProtocol>
     <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
      </customHeaders>
    </httpProtocol>
    </system.webServer>
  </location> -->
• Save your changes
• Restarting a component is not necessary!