1 2 3 Previous Next 34 Replies Latest reply on Aug 24, 2013 11:10 PM by saymonc

    Apex in iframe broken in 4.1?

    Olafur T
      Hi,

      I am experiencing a strange problem after I upgraded Application Express to 4.1.

      Every new application I create, will not work in an iframe. The frame shows up as empty (with chrome's element inspector showing the content as simply <html><head></head><body></body></html>

      But older applications (created in 4.0 and earlier) they show up fine without problems.

      I have tried all the themes in 4.1 they all do not work in an iframe and if I create new pages in an older application the new pages work fine in an iframe.

      So there is some change in the 4.1 that seems to be breaking apex apps within iframes.

      I looked at the sequence of events in the Chrome Network tab of the Developer Tools. I see a request for "f" with a response of "302" (temporarily moved), which is fine, its the session mechanism redirecting.
      Then I see another request for "f" which gets the response of "Canceled".

      I can get an apex error message to show by pointing to a non-existing page in a new 4.1 app, but that is the only response I have been able to get..

      Any ideas anyone?

      Oli
        • 1. Re: Apex in iframe broken in 4.1?
          Patrick Wolf-Oracle
          Hi Oli,

          that's a new security feature to prevent clickJacking attacks. For new applications it's enabled, for existing ones it's disabled.
          Please see Shared Components > Security Attributes > Browser Security -> Embed in Frames

          There should also be something in the Release Notes but I couldn't find it. I will investigate why it's not there.

          Regards
          Patrick
          -----------
          My Blog: http://www.inside-oracle-apex.com
          APEX 4.0 Plug-Ins: http://apex.oracle.com/plugins
          Twitter: http://www.twitter.com/patrickwolf
          • 2. Re: Apex in iframe broken in 4.1?
            Olafur T
            Thanks Patrick.

            That was the problem. I like the "same origin" option, suits me perfectly.

            I had also gone over the release notes and didn't find any mention of frame security.

            Regards
            Oli
            • 3. Re: Apex in iframe broken in 4.1?
              Simakas
              hi,

              im still having this problem with 4.1 on IE, setting is set to Allow. app was created in 4.0 and cant access it via iFrame after upgrade to 4.1.
              any other suggestions?
              • 4. Re: Apex in iframe broken in 4.1?
                Patrick Wolf-Oracle
                Hi Simakas,

                have you looked at the debug output of your application if it really shows the debug message
                ...set additional http headers
                or check the HTTP header variables of your page by using LiveHTTP header for Firefox or any other browser which can show the response if it really includes the parameter X-FRAME-OPTIONS.
                I'm asking, because an upgraded application should still behave as in 4.0. Only newly created apps should show this new security behavior.

                Regards
                Patrick
                -----------
                My Blog: http://www.inside-oracle-apex.com
                APEX Plug-Ins: http://apex.oracle.com/plugins
                Twitter: http://www.twitter.com/patrickwolf
                • 5. Re: Apex in iframe broken in 4.1?
                  Simakas
                  thanks for reply,

                  problem is - I cant even connect to application. if fails after session was not accepted 124 times with (http 302). it works with all browsers except IE and only with 4.1.
                  ideas:
                  - failed 4.1 upgrade?
                  - stupid IE
                  - new way of doing things?

                  simon
                  • 6. Re: Apex in iframe broken in 4.1?
                    Patrick Wolf-Oracle
                    Hi Simon,

                    so you say in FF or Chrome it's working fine? Can you run the app in debug mode with one of those browsers just to rule out that it's iFrame protection.
                    The 302 actually don't have anything to do with iFrame protection. Can you reproduce the problem on apex.oracle.com? That would help to identify the problem.

                    Regards
                    Patrick
                    -----------
                    My Blog: http://www.inside-oracle-apex.com
                    APEX Plug-Ins: http://apex.oracle.com/plugins
                    Twitter: http://www.twitter.com/patrickwolf
                    • 7. Re: Apex in iframe broken in 4.1?
                      Simakas
                      hi Patrick,

                      I get the same 302 (issueing many session id's) if I put "http://apex.oracle.com/pls/apex/f?p=4550:1" in the same iFrame.
                      will check debugging, will copy app to apex.oracle.com

                      Simon
                      • 8. Re: Apex in iframe broken in 4.1?
                        Simakas
                        hi Patrick,

                        same result on apex.oracle.com 4.1.
                        tried it with demo app, think its the same:

                        - FF:ok, CH:ok, OO:ok, SF:fail, IE:fail

                        link used for testing:
                        http://apex.oracle.com/pls/apex/f?p=29393:101:4136314103467577::YES
                        could be IE problem, another guy using IE9 confirmed that he cant see my link in iframe.
                        • 9. Re: Apex in iframe broken in 4.1?
                          Simakas
                          bump. can anyone confirm the same?
                          • 10. Re: Apex in iframe broken in 4.1?
                            Patrick Wolf-Oracle
                            Hi,

                            can you provide me the workspace name for application 29393 so that I can have a look at the definition of the application.

                            Regards
                            Patrick
                            -----------
                            My Blog: http://www.inside-oracle-apex.com
                            APEX Plug-Ins: http://apex.oracle.com/plugins
                            Twitter: http://www.twitter.com/patrickwolf
                            • 11. Re: Apex in iframe broken in 4.1?
                              Simakas
                              hi,

                              workspace name 'simakas'
                              • 12. Re: Apex in iframe broken in 4.1?
                                Patrick Wolf-Oracle
                                That's interesting, tried the Sample Application with the following HTML file
                                <html>
                                <body>
                                <h1>iFrame public page</h1>
                                <iframe src="http://apex.oracle.com/pls/apex/f?p=29393:99:0" width="100%" height="300">
                                  your browser doesn't support iframes
                                </iframe>
                                <h1>iFrame protected page</h1>
                                <iframe src="http://apex.oracle.com/pls/apex/f?p=29393:1:" width="100%" height="300">
                                  your browser doesn't support iframes
                                </iframe>
                                </body>
                                </html>
                                The first iframe works fine which loads a public page with using session zero.
                                The second iframe which tries to include page 1 which is an authenticated page fails in IE8.

                                I assume it must have something to do with redirects which are not correctly working in the iframe. It has definitely nothing to do with the new security settings to prevent click hijacking, because that's not enabled for that application.

                                Will continue investigation.

                                Regards
                                Patrick
                                -----------
                                My Blog: http://www.inside-oracle-apex.com
                                APEX Plug-Ins: http://apex.oracle.com/plugins
                                Twitter: http://www.twitter.com/patrickwolf
                                • 13. Re: Apex in iframe broken in 4.1?
                                  Simakas
                                  if it helps:

                                  - stopped working after upgrade 4.0 -> 4.1
                                  - ie8 continuosly redirects to new session until bumps into some sort of timeout - 124 redirects (using httpwatch)

                                  Simon
                                  • 14. Re: Apex in iframe broken in 4.1?
                                    892178
                                    I am also having the same issue. We recently upgraded to 4.1 and now pages that had displayed in iframes prior to the upgrade will not display in iframes when run in IE. They work fine in firefox and chrome though. Has any solution been found for this?
                                    1 2 3 Previous Next