Framing options

WorldServer restricts page framing in order to prevent potential clickjacking attacks. By default, the X-Frame-Options HTTP header is set to SAMEORIGIN, which means that WorldServer web pages can be included as frames only in top-level pages which have the same origin.

To configure trusted origins from which frames can originate, you need to add a configuration file called csp_frame_ancestors.properties to the main WS_CONFIG folder. Then, within the file, add trusted origins as part of key-value pairs (ws_relative_url = origin_instance_url), where:
  • ws_relative_url is a relative URL (such as /ws-legacy/viewer)
  • origin_relative_url includes one or more trusted origins (such as http://myworldserverinstance.com:8080)