Knowledge Base
cancel
Showing results for 
Search instead for 
Did you mean: 

Navigation to the webpage was canceled using a URL in EBO

Issue

Navigation to the webpage was canceled using a URL in EBO.

Product Line

EBO

Environment

 

Cause

The website owner has added additional code to prevent their webpage from being displayed in a 3rd party application e.g. EBO. However the webpage can be displayed in a web browser e.g. IE, Chrome or FireFox.

 

This additional measure makes use of a feature called X-Frame-Options and is used to prevent 'clickjacking' and prevents embedding in other websites. In 2009 Internet Explorer 8 introduced a new HTTP header X-Frame-Options which offered partial protection against clickjacking and was shortly after adopted by other browsers (Safari, Firefox, Chrome and Opera). The header, when set by the website owner, declares its preferred framing policy: values of DENY, SAMEORIGIN, or ALLOW-FROM origin will prevent any framing, framing by external sites, or allow framing only by the specified site, respectively..

 

See Mozilla article for further information.

 

x frame.JPG 

 

 

Resolution

If a web site implements usage of X-Frame-Options to limit which other web site it can be embedded into, there is nothing to be done about that. It is the providers decision, and cannot be circumvented.

 

In Building Operation release 1.9 and later there are two global policy settings used to protect Building Operation presented web content so it is resilient against clickjacking.
Option 1) Enable external content to be embedded in WebStation – This option must be selected to permit another web page to be rendered in a Webstation <frame> or <iframe>. To protect against clickjacking for all use cases, this option should be turned off.
Option 2) Enable WebStation to be embedded in another site – This option permits Building Operation web pages to be rendered in a <frame> or <iframe> from the local server. If this option is selected with option 1, then there is no protection against clickjacking.

The most secure and recommended configuration is when both options are turned off. However, when an application requires embedded web content, one or both these options can be turned on.
XFrameOptions.png

 

Since this is a global policy these settings will affect all embedded content, if only some content is required to be embedded then there is no solution or work around within EBO unless the webpage owner can remove or change this feature.

Labels (1)
No ratings
Version history
Revision #:
10 of 10
Last update:
‎2018-10-14 05:00 PM
Updated by:
 
Contributors