Zendesk does not allow iframing of Zendesk due to the inherent security risks involved in iframing a web application.
The security risk, UI Redressing, or, as it's more commonly known, "clickjacking", is a class of attack that uses an iframe element on a web page that is actually overlaying another website.
As in the example described in this blog post, users can be lured into thinking that they are accessing a separate website when in fact they are allowing the hacker into a website they've already logged into (their online banking account, for example).
Zendesk prevents the iframing of Zendesk by setting an HTTP header (X-Frame-options) to SAMEORIGIN for all server responses. This policy took effect on June 30th, 2013.
Comments
24 comments
Does anyone know if there have been updates to this? The last post was almost a year and a half ago. We wanted to allow iframing of some of our support documentation to allow sales reps to show it in Clearslide, but have found out that doesn't seem to be supported by Zendesk. Any workarounds or updates would be appreciated!
Hey Nicole!
As far as I can tell, the status of the ALLOWFROM option hasn't changed. Everything that I've seen in my searches indicates that Chrome still doesn't support it, and while Firefox seems to it looks like there's still a bug. Maybe somebody else who is better versed in this type of thing will have more information to share!
We're a SaaS CRM product and are very keen to have our Knowledge Base within our UI to avoid customers having to leave the product for their support needs.
Are there any other workarounds available here?
Chris,
Did you consider using the API to embed your content into your product?
Using the API is certainly an option, but represents a substantial effort in UI and integration development, and doesn't really add any value (since the UI would basically be the same as ZenDesk's)
It seems it would be minimal effort on your end to add the ALLOW-FROM header. Why not just do it, even if it's not supported across all browsers?
Another option would be for you to make disabling the SAMEORIGIN header a config setting. We do not use ZenDesk as a public-facing tool; we only use it internally. Clickjacking is not a concern for us, but it would incredibly useful to be able to embed ZenDesk into our own web app via an iframe.
Any news on this? There are safe ways to add iframes today and this would be critical functionality for our platform.
What does Zendesk offer as a substitute to using <iframe> code?
Peter, what do you need to do?
The main options are to use SSO and skin your Help Centre, or just recreate whatever you want in your product using the API.
Tom,
I don't understand "use SSO and skin your Help Centre", but we were able to embed a YouTube video by deselecting the "Display unsafe content" checkbox in the Help Center settings under Security Settings. The procedure to do that is linked to from Creating and editing articles in the knowledge base.
Zendesk articles are very helpful to us, but if I had one suggestion, it would be for articles of similar content to be linked together, or consolidated, when there is content overlap between articles. If that had been done in this article, users would know that there is a "workaround" to <iframe> code not being allowed.
Thanks,
Pete
+1000 for improving the clustering of related articles / comments / feedback.
Any news on this? As already stated using API is an unnecessary overhead (and overkill) which does not add any value.
I tried to allow unsafe content (just to give a try) and the result is the same.
Thank you
SN
Sergio,
Are you using <iframe> tags, or something else?
Pete
Yes Pete, that's what I tried before realizing it was not allowed. Any workaround (apart using API straight?)
If you changed your settings to allow unsafe content, it should allow <iframe> code. When you view the source code, is the <iframe> code being stripped, or is it there, but the video is just not displaying? It could possibly be settings on your PC. Have you checked with others to see if they are able to view the video? Another alternative is to try to use a YouTube code generator tool, like this one: Generate YouTube embed codes. It wraps the video code in <object> tags rather than <iframe> tags.
Console complaints about not being same origin.
Iframe is stripped.
I'm not trying to embed a video, I need to embed the whole article.
If that works I wrote an additional code that removes the header with the logo, but that's another story
Sorry Sergio, I don't have any other suggestions concerning your issue. Hopefully a Zendesk Product Manager will chime in with suggestions for you. Good luck!
We would also like to be able to embed our zendesk help articles as an IFRAME in our application without using an API. It seems like this topic has been brought up again repeatedly. Anyone have an update? or workaround?
We are successfully embedding other iframes, but Zendesk has been problematic.
Hi Andrea! Thanks for checking in!
I imagine this isn't what you're hoping to hear, but our policy on embedding Zendesk into an external iframe hasn't changed since this article was first published. As noted in the article above, there's a security risk that goes along with embedding in an iframe so we don't allow it.
Any chance we can get a configurable ALLOW-FROM domain in each Zendesk instance? This would mean by default the X-Frame-Options header could be DENY, and when an administrator configures *a single domain* to be allowed, the header is changed to allow that domain.
This it not insecure as we're not allowing *any* domain, only the single domain we've configured and we're accepting the responsibility for.
Any possibility of getting this functionality? As mentioned above using the API is a lot of unnecessary UI development.
This is a major issue for myself and will prevent me from purchasing
Hi Jonathan -
Can you tell us more about your use case and why this would be a deal breaker for you?
Hi Nicole,
I need a solution which I can implement myself (primary a designer with a bit of FE knowledge) which can be updated by an operations team. I work in an industry with an incredibly high CPA and we need users to stay within our transactional UI at all times. Sending them to an external site is unfortunately not an option.
Project isn't serious enough to warrant a deeper API connection and therefore an embedded iFrame would be an ideal solution.
Please sign in to leave a comment.