PathFactory uses iframes to serve content inside Content Tracks. Some web pages have restrictions that prevent their content from displaying in an iframe.
If you attempt to upload a web page to the Content Library that does not whitelist your PathFactory track URLs, you will be served an error message and will be unable to include that webpage as an asset in your Content Library.
In this article we’ll go over the two scenarios where you may encounter content without the correct whitelisting, and provide a possible solution for using this content in your PathFactory Content Tracks.
|If you’ve followed the directions outlined in this article and you are still seeing an error, you can contact firstname.lastname@example.org for assistance.|
Blocked Content from Third Party Web Pages
If you try to upload a web page from a domain that you do not own and that web page has not whitelisted your PathFactory track URLs, you will be served an error message telling you that you cannot upload this content to the Content Library.
Because you do not own this web page, your options are limited. You will be unable to add these third party web pages to your Content Library. You can use this content in an End Promoter in a content track if the following is true:
- You are building your Content Track in Target (this is not currently supported in Recommend)
- You are using the Flow or Signpost Promoter (this is not currently supported for other Target promoter types)
Blocked Content on Your Own Web Pages
If you try to upload a web page with a domain that you do own and that web page does not whitelist your PathFactory track URLs, you will be served an error message telling you that you cannot upload this content to the Content Library.
Since you own this web page, you can work with your website administrator or IT team to complete the following 3 necessary steps:
|Once you complete all three steps your content will be able to display in all browsers successfully.|
How to Add a CSP Header
Add the following Content Security Policy to your webpage(s) that you’d like to use in PathFactory content tracks. It is important that you include all the URLs shown below.
Content-Security-Policy: frame-ancestors 'self' http://yourcompany.lookbookhq.com https://yourcompany.lookbookhq.com http://yourcompany.pathfactory.com https://yourcompany.pathfactory.com http://customsubdomain.yourcompany.com https://customsubdomain.yourcompany.com
|It is important that you write your CSP according to the exact instructions above as any deviation may result in your content not uploading to PathFactory or displaying in content tracks.|
|If you are whitelisting individual subdomains as described above, it is important that you specify both HTTP and HTTPS URLs as shown in the example. Otherwise, the whitelisting might not work.|
Whitelisting with a Wildcard
If your PathFactory instance has a custom subdomain (for example, customsubdomain.yourcompany.com) and you’d prefer to whitelist using a wildcard, your CSP will be the following:
Content-Security-Policy: frame-ancestors 'self' *.yourcompany.com
Using a CSP with a wildcard is the perfect example of a directive with no protocol (http or https). If you’re using a CSP with a wildcard it will only work if the HTTP/HTTPS protocol on the asset and the track are an exact match.
Content Security Policy and X-Frame-Options
The Content Security Policy and X-Frame-Options headers must be carefully used in conjunction since both Safari and Internet Explorer 11 allow the latter to take precedence in web page security settings.
Remove X-Frame-Options SAME ORIGIN
It is important that you remove the X-Frame-Options SAMEORIGIN from any web pages you’d like to use in PathFactory content tracks. Otherwise, your content will not display. This header typically resides in the .htaccess file on your web server.
Add the ALLOW FROM Header
You’ll need to add the X-Frame-Options ALLOW FROM header to permit your web pages to display in content tracks on Internet Explorer 11. You want to whitelist the URL where your PathFactory content tracks live. This directive only supports whitelisting one URL, so you’ll need to make sure you whitelist the URL (with HTTP/HTTPS protocol) that your team will use consistently when sharing content track links with your audience.
Your team could set it up so that a programmatic change from X-Frame-Options SAME ORIGIN to ALLOW-FROM occurs if your webpage is within your PathFactory track (at your PathFactory subdomain).
|If you’ve followed the directions outlined above and you are still seeing an error telling you that your content cannot be displayed in an iframe you can contact email@example.com for assistance.|