Skip to main content
Kinetic Community

Frame Policy

The "Web Frame Policy" configuration item was added to improve control of how Kinetic Request and Survey templates can be displayed within other web sites. The Web Frame Policy configuration item defines the rules to allow displaying Kinetic Request and Survey pages from within frames on other sites.

Details

By default, the "Web Frame Policy" configuration item is not set, which indicates that only pages on the same host (SAMEORIGIN) will be allowed to display Kinetic Request templates in a frame.  By saying same host, this means that templates can be displayed in a frame from a web page originating from the same server and port as the web server that is hosting the Kinetic Request and Survey web application.

 

Configuration Item:  "Web Frame Policy"

  • If the value is not set, it is treated the same as if the value were set to SAMEORIGIN.
  • If the value is SAMEORIGIN, then only pages on the same web server and port will be allowed to show Kinetic Request and Survey pages in frames.
  • If the value is DENY, then Kinetic Request and Survey pages will not be allowed to be displayed in frames at all, no matter what server is trying to display them.
  • If the value is a URI, or multiple URI values separated by a space, then it is applied as the frameable URI values.
    • For example, if the configuration item is set to "http://request-web-server:8080 http://midtier-web-server http://host3", then all three of those hosts will be allowed to display Kinetic Request and Survey pages in a frame.
    • These values are specific to the protocol, so if SSL is used for the host, the value must be https://host:port.
    • NOTE: Some older browsers, such as IE6, IE7, and IE8 only allow one host.  In this case, only the first host will be allowed to use frames.
  • If the value is ALLOW, then the frame policy headers will not be applied and frames will be allowed to all hosts.

 

Important Note

The "Web Frame Policy" configuration item does not apply to Kinetic Request management consoles, which may not be displayed within a frame from outside the domain where it is deployed.  The Kinetic Request management consoles will always have the frame protection headers applied with the equivalent of SAMEORIGIN.