Show dynamics CRM in iFrame

1
votes

Is there any way of showing Microsoft Dynamics CRM 2016 pages in an HTML iFrame? I was trying to add the X-frame options in the installation web config but it did not help.

2
dynamics-crmmicrosoft-dynamicsdynamics-crm-2016
Did you find this post: stackoverflow.com/questions/32669581/…Henk van Boeijen
I'm not on a CRM 2016 instance at the moment but would have expected that modifying the x-frame-options should work. What x-frame-options are present in your response header (view under network tab in chrome)Malachy
Hi @Malachy...Dynamics CRM supports the three standard x-frame options i.e Deny,Same Origin and allow from.It seems by default it is set to Same Origin.When I changed the xframe option to allow from the website's origin(i.e the website which needs to frame it),the pages within the application i.e the out of the box framing within Microsoft dynamics CRM started throwing errors.I am unable to find a way where I can set the X-frame option to allow multiple origin?(i.e both same origin and allow from).Any idea?CRM_user

2 Answers

0
votes

I'm pretty sure this is a security feature of CRM. Having CRM iframed into another site would open up for XFS.

0
votes

It looks like X-Frame-Options does not work to authorize multiple domains and the approach to take is to use the Content-Security-Policy header instead. This thread discusses the same type of issue X-Frame-Options Allow-From multiple domains

The links below have information on how to use the Content-Security-Policy header: https://content-security-policy.com/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

This web.config snippit below looks like it works to me (I tried this on a CRM 2013 Box).

  <httpProtocol>
    <customHeaders>
      <!-- seems to work correctly and override X-Frame-Options -->
      <add name="Access-Control-Allow-Origin" value="http://localhost" />
      <add name="Content-Security-Policy" value="frame-ancestors 'self' localhost crmserver; script-src 'unsafe-eval' 'unsafe-inline' 'self' localhost crmserver;" />
    </customHeaders>
  </httpProtocol>

Where localhost is the iFrame hosting the CRM window and crmserver is the crmserver dns name

edit: It look like Content-Security-Policy is only supported Chrome and Firefox at the moment. IE does not support the Access-Control-Allow-Origin