FileMaker Server 13v5 breaks embedded WebDirect (2 Comments)

Issue report by Nicholas Orr

Product

FileMaker Server

Version

13v5

Operating system version

Windows 2008 64bit

Description of the issue

The update to v5 has extra security around embedding WebDirect in iframes on other servers. Which is a good thing, but there is no way that works to override the allowed servers. IIS normally allows you to add your own X-Frame-Options header via the IIS settings, but it appears that there's no way to remove the existing one that FMS is setting.

I tried overriding the deprecated X-Frame-Options header by adding an additional Content-Security-Policy header (which is a new standard), but no luck.

Even though the spec says that browsers should ignore X-Frame-Options if Content-Security-Policy exists:
https://w3c.github.io/webappsec/specs/content-security-policy/#directive-frame-ancestors

And I am testing with firefox, which should have support for this:
http://caniuse.com/contentsecuritypolicy

So what previously either worked, or had the ability to be specifically set for any security issues, now has a setting we can't adjust and causes a failure we didn't use to have.

Steps to reproduce the problem

Generate any WebDirect page, and embed it in a iframe in another web page. Load that in a browser, and check the browser errors. The iframe won't load and there will be an error like :

Refused to display 'http://server/fmi/webd#filename' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

Expected result

If this is going to be blocked point blank by default ( which is probably a good thing ), then it needs to be documented as to how to override the default with a specific server setting to allow this option.

Exact text of any error message(s) that appear

Refused to display 'http://server/fmi/webd#filename' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

Workaround

Revert to v4 appears to be the only workaround at the moment.