topic Re: Embedding Rest disabled in 10.1 by server in ArcGIS Enterprise Questions

Embedding Rest disabled in 10.1 by server

PatKeegan — Mon, 15 Oct 2012 16:33:10 GMT

Hi,

We have some Rest endpoints embedded in iframes. We use the GeocodeServer rest end point for address validation. This worked great prior to 10.0.

At 10.1, this content is blocked with a message of "This content cannot be displayed in a frame".

Esri tech support said this is not a supported use (rest in iframe).

I think the built in AGS web server (Geronimo) is configured to block via the X-Frame-Options config.

Anyone know how to enabled the ability to embed AGS Rest endpoints in an iframe?

thanks
-Pat

Re: Embedding Rest disabled in 10.1 by server

Anonymous User — Fri, 19 Oct 2012 23:46:48 GMT

Hi Pat,

I think there may be some confusion, several people are looking into this case you reported. Have you set up the Web Adapter? If so, you should be able to set custom response headers.

See this KB which discusses Mitigating frame sniffing with the X-Frame-Options.

http://support.microsoft.com/kb/2694329

You can even enable CORS.

http://en.wikipedia.org/wiki/Cross-origin_resource_sharing

I will look into this behavior, specifically what changed, and will get back to you as soon as possible.

Regards,
Doug Carroll, ESRI Support Services SDK Team
http://support.esri.com/

Re: Embedding Rest disabled in 10.1 by server

PatKeegan — Mon, 22 Oct 2012 12:11:12 GMT

Doug,

Yes, there was some confusion. I now understand I have an active support incident (awesome!).

Yes, I have web adapter set up.

It appears I have to enable CORS in geromino and I have not been able to figure that out. I can embed content from IIS wwwroot successfully. Content is blocked when I try to access embedded ArcGIS with or without webadapter.

Thanks a bunch,

-Pat

Re: Embedding Rest disabled in 10.1 by server

Anonymous User — Tue, 23 Oct 2012 16:00:13 GMT

Hi Pat, I've looked into this some more. What I've learned is that you are in a difficult situation, given your case. My thoughts on editing / changing the response header in your web server does not seem possible given the latest. Also CORS will not override X-Frame-Options from what I am finding. Usually it's the other way around where people don't want to share content via an iFrame. I can talk to the analyst working on your case, but we've tighten security at the 10.1. The response header in question is being set by ArcGIS for Server and it's prevent Clickjacking and Framesniffing attacks.

Clickjacking
http://en.wikipedia.org/wiki/Clickjacking

Framesniffing
http://www.infosecurity-magazine.com/view/24490/

As for your idea to operate on the internal guts of ArcGIS Server, I'd advise 100% against it. We may have an option for you, so I will inform the analyst you are working with, as it's probably better not to discuss security measures like this on the forums.

Thanks for posting here maybe we've helped inform a few others.

Regards,
Doug Carroll, ESRI Support Services SDK Team
http://support.esri.com/