0 Replies Latest reply: Oct 9, 2012 10:53 PM by User8725816-Oracle RSS

    Restricting sites which can display PS as an iFrame

      We have a client who is deploying the Candidate Gateway careers page as an iFrame on their corporate website. However, E&Y raised an objection as part of their IT audit, stating that the CG page is not secure, because any website could embed it into their own iFrame. This would create a risk of hacking, e.g. I create a dummy website, embed the CG careers page, and use keystroke logging JavaScript on my page to capture the usernames and passwords entered.

      Is there any way that we can restrict the sites which can display the PeopleSoft page as an iFrame. For example, my PS URL is hris.company.com. I only want to allow sites with a URL of company.com to embed this as an iFrame. If any other site, e.g. mysite.com, tries using the PS page in an iFrame, this should not be allowed. We have tried looking into cookie domain settings on the webserver, but have not had any luck with this.

      Client is on PS HCM9.0, Tools 8.49.15.