Loading IVY-Process-Start in a iframe fails with ViewExpiredException

rih

I want to load an IVY-Process-start in a iframe of a web portal (not implemented with IVY).
If the url of the parent portal has the same host name like the ivy start link, then the loading is working fine.
Example:
ParentPortal: http://basnbhe003/startFrame.html
IVY process start: http://basnbhe003:8081/designer/pro/FRAME_TST/198ADC1823EF0A2E/start.ivp?userId=Dirkschneider&firm=210"

BUT if the parent was started with http://localhost/startFrame.html then the the loading fails with a ViewExpiredException!
What happen here? Is the IVY session killed during the loading ...?
Unfortunately the host name cannot be configured to be the same (even the parent portal and the IVY-Engine are running on the same box).

HINT:
I have adjusted the web.xml in my Designer (or Engine) concerning this antiClickJacking/SAMEORIGIN/CORS-Stuff (to enable loading ivy in an iframe)

See my Example IVY-Project, the manipulated web.xml of the IVY-Designer and the file startFrame.html (this is running in a IIS)

Lukas Lieb

Hi @rih

I'm not sure if this will ever work. Because if you run your portal and your iframe content under different origin url's, you will face various security restrictions.
As you already mentioned you need to change the X-FRAME-OPTIONS header so the iframe will be loaded by the browser, but this is not the end.

You will also not be able to do various things via JS inside the iframe
The session cookies will now be threaten as third-party cookies (cross-site cookies) as they will be received under another origin URL than the main document is loaded from.

I assume this is only a development environment issue, as you are developing your own portal and not developing it within the Designer?
With which technology do you developer this portal? Because sometimes they allow to setup a proxy service. With something like this, you can "open" the iframe content under the same origin URL as the portal and redirect the request in the server part to the actual page. E.g. in the JS world vite can do something like this out of the box: https://vite.dev/config/server-options.html#server-proxy and if you use something else, maybe there is a similar solution or there are also standalone solutions for problems like this.

I hope this helps