Skip to main content

Apparently since fixing this problem 

https://support.safe.com/hc/en-us/articles/25407612007949-Known-Issue-FME-Flow-Apache-Tomcat-Vulnerability-with-X-Frame-Options-header

In FME Flow 2025.1, embedding FME Flow content to other pages is disabled entirely by default. 
 

Is there any chance to allow embedding from known sources or is embedding considered so risky that this would not be even considered? 

Hi, we also need an answer to this as we have just upgraded and found that our embedded apps are no longer working.

Thanks,

Marc


Originally, I thought you could use ALLOW-FROM (and antiClickJackingUri), rather than DENY in the web.xml for fmeserver, however I soon noted that ALLOW-FROM is no longer supported by browsers and therefore you would be allow for any source.

<init-param>
      <param-name>antiClickJackingOption</param-name>
      <param-value>DENY</param-value> <!-- Prevents the page from being embedded in an iframe on any domain -->
    </init-param>

 

It appears that frame-ancestors as part of the Content-Security-Policy is the way to go. But I have tried to add a custom response header to tomcat, but have not been able to get it to work. Would be interested if anybody knows how to do that from an FME Flow tomcat perspective?

Content-Security-Policy: frame-ancestors 'self' https://www.example.org;