Plone Content shared and displayed in external website via iframe

iham · July 17, 2023, 9:24am

Hi there!

I would like to share a specific and custom Collection View to be embedded by other websites (using an iframe) and came across some „problem“:

X-Frame-Options seems to be set empty or allowall (or alike) which means ALL content could be embedded - not so good.
this view has a contentfilter portlet, which does not fire events when inside an iframe (after setting plone-x-frame-option to empty in zope.conf).

As i don‘t want to allow all content to be used inside iframes, the x-frame-options doesn‘t fit the bill.

is there any other way to only allow sharing a specific view (ideally to specific domain-names) and/or piece of content?
…like: via controlpanel, via plone.protect on a custom view, via a behavior on the collection type or something else?

i hope, i didn‘t miss any solutions by searching here and github
please help me and get my nose pointing the right direction in order to achieve <3

kind regards,
iham (markus)

mekell · July 17, 2023, 12:50pm

You could create a Rest-API-Service with the same queries your Collection has.

Then make a GET request to your Service with e.g. fetch (javascript) and display the returned json as you need in your html-page

espenmn · July 18, 2023, 2:48pm

Unless you want to 'redo a bit of the programming of collectionfilter', you might be able to make a custom view, basically duplicating the one you use but remove/change the line that says

metal:use-macro="context/main_template/macros/master">

and maybe allow x-frame just for that page/view (?)

I have no idea how that would work with collective collectionfilter, but could be worth a try.

There should also be another view that skips part of a page. I have not used it for ages, but the syntax is:

http://path/to/my/page?ajax_load=1

alternatively:

?ajax_load=1&ajax_include_head=1

iham · July 20, 2023, 6:48am

I will try a custom view that sets the response headers x-frame-options - that will at least reduce the risk of clickjacking the entire website down to a few pages.

additionally I could add a list field to add allowed domains, so only those the the response header set. maybe worth a try.

I already did a view template using the master macro from main_template.

thank you for the ajax_load hint - will try that too.

iham · July 20, 2023, 6:51am

thank you for your idea!

a rest api would add overhead as the collection page is styled and done. I need this to be embed-able so no further stuff needs to be done on the other end(s).

erral · July 20, 2023, 7:19am

plone.protect adds the X-Frame-Options header in Plone and lets you customize it on per-view-basis, although you can't disable it:

github.com

plone/plone.protect/blob/8b8b36a570354e543b8a3fbe3696dd9ac69c4ad3/plone/protect/auto.py#L139C1-L140


      
          if X_FRAME_OPTIONS and not self.request.response.getHeader("X-Frame-Options"):
              self.request.response.setHeader("X-Frame-Options", X_FRAME_OPTIONS)

In a recent project we have added an nginx rule to allow a given URL to be shown in an iframe.

proxy_hide_header X-Frame-Options;

espenmn · July 20, 2023, 8:11am

jul. 2023 kl. 08:58 skrev Markus Hilbert via Plone Community <community@plone.org>:

| iham Markus Hilbert
July 20 |

| - |

I will try a custom view that sets the response headers x-frame-options - that will at least reduce the risk of clickjacking the entire website down to a few pages.

additionally I could add a list field to add allowed domains, so only those the the response header set. maybe worth a try.

I already did a view template using the master macro from main_template.

Try without including that (macro) line.
You dont need header, footer etc .
Also check out ‘fill-slots’.

I am not sure where the docs about fill-slots are, try googling it.