Follow

X-Frame-Options Error

Avatar

 

Question: I'm seeing this error when I open up my browsers developers tools:
Refused to display 'https://xxfilenamexx/dispatchapi.html' in a frame because it set 'X-Frame-Options' to 'sameorigin'. 

 **Please note the actual file name has been changed for this article**

Answer:

The problem is that (by necessity) dispatch packages must be able to load dispatchapi.html from the remote host (the 3rd party LMS, in this case) in a frame with the cloud.scorm.com origin. This doesn't work currently because the 3rd party LMS sets X-Frame-Options to SAMEORIGIN for SCORM content. We don't see many LMSes with this behavior, but dispatches are unfortunately simply not compatible with those LMSes.

This problem can only be resolved by the third party LMS. There are two possible paths forward:

  1. They can whitelist cloud.scorm.com in their X-Frame-Options header for their course content files.
  2. They can simply not use X-Frame-Options for the course content files

Note, in both cases, the security impact is limited if the 3rd party LMS only applies these changes to the course content files. SCORM Cloud (and anyone else building a dispatch-like solution) will not need to be able to embed the rest of the 3rd party LMS UI and/or API pages in external frames.

If you have any questions please send us a message at support@rusticisoftware.com

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

  • Avatar
    Jose Martin

    Why not using a JSONP solution?

Powered by Zendesk