Issue
Clicking on a URL in Workstation gives the error message "Navigation to the webpage was canceled".
Product Line
EcoStruxure Building Operation
Environment
Building Operation WorkStation
Cause
The website owner has added additional code to prevent their webpage from being displayed in a 3rd party application e.g. EBO. However, the webpage can be viewed in a web browser e.g. IE, Chrome or Firefox.
This additional measure makes use of a feature called X-Frame-Options and is used to prevent 'clickjacking' and prevents embedding in other websites. In 2009 Internet Explorer 8 introduced a new HTTP header X-Frame-Options which offered partial protection against clickjacking and was shortly after adopted by other browsers (Safari, Firefox, Chrome and Opera). The header, when set by the website owner, declares its preferred framing policy: values of DENY, SAMEORIGIN, or ALLOW-FROM origin will prevent any framing, framing by external sites, or allow framing only by the specified site, respectively.
See Mozilla article for further information.
Resolution
If a web site implements the usage of X-Frame-Options to limit which other web sites it can be embedded into, there is nothing to be done about that. It is the providers' decision, and cannot be circumvented.
In Building Operation release 1.9 and later, there are two global policy settings used to protect Building Operation presented web content, so it is resilient against clickjacking.
Option 1 - Enable external content to be embedded in WebStation
This option must be selected to permit another web page to be rendered in a WebStation <frame> or <iframe>. To protect against clickjacking for all use cases, this option should be turned off.
Option 2 - Enable WebStation to be embedded in another site
This option permits Building Operation web pages to be rendered in a <frame> or <iframe> from the local server. If this option is selected with option 1, then there is no protection against clickjacking.
The most secure and recommended configuration is when both options are turned off. However, when an application requires embedded web content, one or both these options can be turned on.
Since this is a global policy, these settings will affect all embedded content. If only some content is required to be embedded then there is no solution or workaround within EBO unless the website owner can remove or change this feature.
