About iFrame Blocking

Summary

PathFactory uses iframes to serve content inside Content Tracks. Some web pages have restrictions that prevent their content from displaying in an iframe.

An iframe, or inline frame, is a tag  that is used to embed an HTML document inside another HTML document on a website. The iframe HTML element can be used to insert content from another source, such as an advertisement, into a web page.

If you attempt to upload a web page to the Content Library that does not whitelist your PathFactory track URLs, you will be served an error message and will be unable to include that webpage as an asset in your Content Library.

In this article we’ll go over the two scenarios where you may encounter content without the correct whitelisting, and provide a possible solution for using this content in your PathFactory Content Tracks.

Note
If you’ve followed the directions outlined in this article and you are still seeing an error, you can contact support@pathfactory.com for assistance.

Blocked Content from Third Party Web Pages

If you try to upload a web page from a domain that you do not own and that web page has not whitelisted your PathFactory track URLs, you will be served an error message telling you that you cannot upload this content to the Content Library.

Because you do not own this web page, your options are limited. You will be unable to add these third party web pages to your Content Library. You can use this content in an End Promoter in a content track if the following is true:

  • You are building your Content Track in Target (this is not currently supported in Recommend)
  • You are using the Flow or Signpost Promoter (this is not currently supported for other Target promoter types)

What you can do:

When you enable the End Promoter, add the destination URL of the blocked content. When a visitor reaches the end of your Content Track they will be prompted with your call to action End Promoter. If the visitor clicks on this promoter, the destination URL (of the blocked content) will open in a new tab.


Blocked Content on Your Own Web Pages

If you try to upload a web page with a domain that you do own and that web page does not whitelist your PathFactory track URLs, you will be served an error message telling you that you cannot upload this content to the Content Library.

Since you own this web page, you can work with your website administrator or IT team to complete the following 3 necessary steps:

Note
Once you complete all three steps your content will be able to display in all browsers successfully.

How to Add a CSP Header

Add the following Content Security Policy to your webpage(s) that you’d like to use in PathFactory content tracks. It is important that you include all the URLs shown below.

 Content-Security-Policy: frame-ancestors 'self' http://yourcompany.lookbookhq.com https://yourcompany.lookbookhq.com http://yourcompany.pathfactory.com https://yourcompany.pathfactory.com http://customsubdomain.yourcompany.com https://customsubdomain.yourcompany.com
Warning
It is important that you write your CSP according to the exact instructions above as any deviation may result in your content not uploading to PathFactory or displaying in content tracks.
Warning
If you are whitelisting individual subdomains as described above, it is important that you specify both HTTP and HTTPS URLs as shown in the example. Otherwise, the whitelisting might not work.

In the example above, “yourcompany” should be replaced by the name assigned to your PathFactory instance. This is first part of your PathFactory login domain.
imagePathFactory domain

Similarly, “customsubdomain” should be replaced by the custom subdomain name where your team wants your content tracks to live.
For example, our Marketing team uses the custom subdomain nurturenow.pathfactory.com to serve content tracks and therefore our team whitelists both http://nurturenow.pathfactory.com and https://nurturenow.pathfactory.com.
For more information on custom subdomains and the process involved in setting one up, see this article.


Whitelisting with a Wildcard

If your PathFactory instance has a custom subdomain (for example, customsubdomain.yourcompany.com) and you’d prefer to whitelist using a wildcard, your CSP will be the following:

 Content-Security-Policy: frame-ancestors 'self' *.yourcompany.com

Important:

Content Security Policy assumes that if no protocol (http:// or https://) is explicitly present in the URLs that you are whitelisting, then the PathFactory URL and any asset URLs which have iframing restrictions must have the same protocol in order for the whitelisting to work. You can read more about this rule here.

Using a CSP with a wildcard is the perfect example of a directive with no protocol (http or https). If you’re using a CSP with a wildcard it will only work if the HTTP/HTTPS protocol on the asset and the track are an exact match.
image

Example of CSP Wildcard


Content Security Policy and X-Frame-Options

The Content Security Policy and X-Frame-Options headers must be carefully used in conjunction since both Safari and Internet Explorer 11 allow the latter to take precedence in web page security settings.

Remove X-Frame-Options SAME ORIGIN

It is important that you remove the X-Frame-Options SAMEORIGIN from any web pages you’d like to use in PathFactory content tracks. Otherwise, your content will not display. This header typically resides in the .htaccess file on your web server.

Add the ALLOW FROM Header

You’ll need to add the X-Frame-Options ALLOW FROM header to permit your web pages to display in content tracks on Internet Explorer 11. You want to whitelist the URL where your PathFactory content tracks live. This directive only supports whitelisting one URL, so you’ll need to make sure you whitelist the URL (with HTTP/HTTPS protocol) that your team will use consistently when sharing content track links with your audience.

For example:

Our marketing team always shares content track links at https://nurturenow.pathfactory.com so our directive looks like this:

# Header always append X-Frame-Options ALLOW-FROM https://nurturenow.pathfactory.com

Tip:
Your team could set it up so that a programmatic change from X-Frame-Options SAME ORIGIN to ALLOW-FROM occurs if your webpage is within your PathFactory track (at your PathFactory subdomain).

Note
If you’ve followed the directions outlined above and you are still seeing an error telling you that your content cannot be displayed in an iframe you can contact support@pathfactory.com for assistance.
Updated on April 14, 2023

Was this article helpful?

Need Support?
Can't find the answer you're looking for? Don't worry we're here to help!
CONTACT SUPPORT