Preventing Studio from Being Displayed in an iFrame

Allowing Studio to be displayed in an iFrame raises the risk of "clickjacking", where an end user thinks they are clicking a legitimate link, but are actually performing an action set up by an attacker.

Studio provides settings in portal-ext.properties to control whether Studio can be displayed in an iFrame. 

com.liferay.portal.servlet.filters.security.EndecaIFrameFilter.mode=SAMEORIGIN
com.liferay.portal.servlet.filters.security.EndecaIFrameFilter.javascriptFilter=false
Setting Description
com.liferay.portal.servlet.filters.security.EndecaIFrameFilter.mode Enables EndecaIFrameFilter, which sets the response header parameter X-Frame-Options. The available values are:
  • SAMEORIGIN - This is the default. Frames can only be used within the same domain.

    Note that for Internet Explorer, the same domain with a different port number is still considered the same domain.

  • DENY - Indicates that frames cannot be used at all.
  • ALLOW-FROM <domain> - Frames can only be used if they are from the specified domain.

    This option is not recommended. It is not well supported and varies greatly from browser to browser.

com.liferay.portal.servlet.filters.security.EndecaIFrameFilter.javascriptFilter If set to true, then frame use is not supported.

You can use this setting to ensure that frames are not used even if a browser does not support X-Frame-Options.

By default, Studio allows iFrames to be used if they are from the same domain. To completely prevent Studio from being displayed in an iFrame: