Closed tbalasavage closed 3 years ago
Hi @ps-tb,
Adding the hidden
attribute to the html document is our recommendation to prevent Clickjacking since X-Frame-Options
header is disabled. If you know the site URL that will embed (using iframe) your application, you could add that site's URL into the ACL list in the library and re-generate the JavaScript assets.
The JavaScript code will remove the hidden
attribute from the DOM if the page isn't being rendered inside of a frame.
Another option (not ideal) is to host a different endpoint for your application? Or, dynamically detect in the code whether to load and use this library or not.
@kolkheang Thanks for the response. In response to the suggestions:
Is there anything that your library can do to help in this situation? This seems like it may be an increasingly common scenario for applications in multiple environments.
Hi @ps-tb,
There isn't anything in the library today to conditionally enforce this rule. Since we recommend removing the X-Frame-Options
header in favor of this library, without this library, the page is open to Clickjacking.
I can log a ticket to investigate if there is anything we can do to help with the scenario that you've described.
@kolkheang Thanks for the info and help
@kolkheang If we were to conditionally load the library, I'd like to remove the hidden attribute from the HTML so that it's not present outside of Cerner. When we first started to use the library and didn't include the hidden
attribute, I believe that I saw console log messages that stated that the library has added the hidden
attribute because it wasn't present. Is that behavior correct? Can I exclude it and it will be added for me?
@ps-tb Sorry about the delay in responding here.
Yup you saw correct, based on the code here : https://github.com/cerner/xfc/blob/master/src/provider/provider.js#L6-L15 the hidden
attribute will be added if its absent from the page document.
The behavior is as expected because since the X-Frame-Options are disabled, the smart app will need to be protected from clickjacking for which the SMART app will need to consume this library which ensures prevention against clickjacking by hiding the page until authorized using XFC framework.
If you dont manually add the hidden
attribute then it will get added automatically if this JS library is added on the page.
As @kolkheang mentioned above you should be able to conditionally include this library on each of your pages by identifying if the application is running in Cerner's EHR i.e Powerchart. Ref : https://fhir.cerner.com/smart/#embedded-browser-control there is a section for : Embedded in Powerchart?
@shriniketsarkar Thanks for the info. We've taken this idea and are conditionally adding it if we launch within Cerner. That seemed to be the most reasonable solution for us and we're actively testing it out now. We had some help from Cerner and now have a Powerchart test instance that we can use for this purpose, which as been extremely helpful.
@tbalasavage please share any high level design approach that you've taken (if you can) on this in case others are wanting to do the same.
You may want to have another check / allow list (of authorized party using known hosts/URLs?) in case in the future, we have an additional places to embed the the app (example: outside of PowerChart).
I contribute to an application that uses this library. We're experiencing an issue where it appears that the
hidden
attribute that we've added to thehtml
tag as per the documentation prevents the application from rendering outside of a Cerner iframe; the screen is white until you remove thehidden
attribute from the DOM. Do you have a suggestion as to how this can be avoided?