Hello.
I have a rather open-ended question.
I have an iframe that worked well before but stopped working after I did an upgrade.
Any tips would be helpful.
Is the iframe on the same domain as it is included in?
The UseLitiumXFrameOptions middleware was added to add extra security and prohibit that the website can be included in another site (preventing click bait attack). That have the impact that if your iframe need to be loaded from another site the middlewere need to be excluded for that path, you will do that in the startup.cs file with something like below
change from
app.UseLitiumXFrameOptions();
to something like this
app.UseWhen(x => !x.Request.Path.StartsWithSegments("/myUrl"), x => x.UseLitiumXFrameOptions());
where the myUrl is the url that you want to exclude from this middleware
The iframe content and the website are on from two different domains but the content is always served from the same domain.
We didnât have UseLitiumXFrameOptions to begin with.
We tried to add it but then it hindered us from moving forward.
The error we got: InvalidOperationException: No service for type âLitium.Web.Runtime.XFrameOptions.XFrameOptionsMiddlewareâ has been registered.
most probably the
services.AddLitiumXFrameOptions();
was not added in the ConfigureServices-method inside the startup.cs file.
but if that not is added it should not be the problem if that not is added in some other way or similar header that prohibit cross-domain iframe request.
What does the network console provide for information? Can you see the request for the iframe content url and what is the response back there?
We thought so as well.
The iframe we have is visible and we can interact with, all except one button. This one button is meant to take us to the checkout page.
When clicking on this one button we do not get anything, no errors and nothing in the network. Nothing locally and nothing in our test environment. When using
monitorEvents(window, âmessageâ)
in the console browser we can see this message, the information stored on it, when we press the button. But nothing ever happens. This wasnât a problem until the project got upgraded.
So thatâs why I thought that maybe something had happened to the iframe during the upgrade. But now it seems that it isnât the case.
Okay so it seems like it mightâve been a link issue.
The link we used had /test/ in it. We have contact with the provider but you would think that we would have been told if something was wrong with the test link.
When we changed from the test link to the normal link used in production it work. It works locally and on our test site.
Can it be that the iframe response have some CSP (Content Security Policy) that will prohibit the button event on the url that you was testing from?
The Content Security Policy seems to be identical in both test and production currently. 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.