Zendesk does not allow iframing of Zendesk due to the inherent security risks involved in iframing a web application.
The security risk, UI Redressing, or, as it's more commonly known, "clickjacking", is a class of attack that uses an iframe element on a web page that is actually overlaying another website.
As in the example described in this blog post, users can be lured into thinking that they are accessing a separate website when in fact they are allowing the hacker into a website they've already logged into (their online banking account, for example).
Zendesk prevents the iframing of Zendesk by setting an HTTP header (X-Frame-options) to SAMEORIGIN for all server responses. This policy took effect on June 30th, 2013.
Comments
31 comments
Does anyone know if there have been updates to this? The last post was almost a year and a half ago. We wanted to allow iframing of some of our support documentation to allow sales reps to show it in Clearslide, but have found out that doesn't seem to be supported by Zendesk. Any workarounds or updates would be appreciated!
Hey Nicole!
As far as I can tell, the status of the ALLOWFROM option hasn't changed. Everything that I've seen in my searches indicates that Chrome still doesn't support it, and while Firefox seems to it looks like there's still a bug. Maybe somebody else who is better versed in this type of thing will have more information to share!
We're a SaaS CRM product and are very keen to have our Knowledge Base within our UI to avoid customers having to leave the product for their support needs.
Are there any other workarounds available here?
Chris,
Did you consider using the API to embed your content into your product?
Using the API is certainly an option, but represents a substantial effort in UI and integration development, and doesn't really add any value (since the UI would basically be the same as ZenDesk's)
It seems it would be minimal effort on your end to add the ALLOW-FROM header. Why not just do it, even if it's not supported across all browsers?
Another option would be for you to make disabling the SAMEORIGIN header a config setting. We do not use ZenDesk as a public-facing tool; we only use it internally. Clickjacking is not a concern for us, but it would incredibly useful to be able to embed ZenDesk into our own web app via an iframe.
Any news on this? There are safe ways to add iframes today and this would be critical functionality for our platform.
What does Zendesk offer as a substitute to using <iframe> code?
Peter, what do you need to do?
The main options are to use SSO and skin your Help Centre, or just recreate whatever you want in your product using the API.
Tom,
I don't understand "use SSO and skin your Help Centre", but we were able to embed a YouTube video by deselecting the "Display unsafe content" checkbox in the Help Center settings under Security Settings. The procedure to do that is linked to from Creating and editing articles in the knowledge base.
Zendesk articles are very helpful to us, but if I had one suggestion, it would be for articles of similar content to be linked together, or consolidated, when there is content overlap between articles. If that had been done in this article, users would know that there is a "workaround" to <iframe> code not being allowed.
Thanks,
Pete
+1000 for improving the clustering of related articles / comments / feedback.
Any news on this? As already stated using API is an unnecessary overhead (and overkill) which does not add any value.
I tried to allow unsafe content (just to give a try) and the result is the same.
Thank you
SN
Sergio,
Are you using <iframe> tags, or something else?
Pete
Yes Pete, that's what I tried before realizing it was not allowed. Any workaround (apart using API straight?)
If you changed your settings to allow unsafe content, it should allow <iframe> code. When you view the source code, is the <iframe> code being stripped, or is it there, but the video is just not displaying? It could possibly be settings on your PC. Have you checked with others to see if they are able to view the video? Another alternative is to try to use a YouTube code generator tool, like this one: Generate YouTube embed codes. It wraps the video code in <object> tags rather than <iframe> tags.
Console complaints about not being same origin.
Iframe is stripped.
I'm not trying to embed a video, I need to embed the whole article.
If that works I wrote an additional code that removes the header with the logo, but that's another story
Sorry Sergio, I don't have any other suggestions concerning your issue. Hopefully a Zendesk Product Manager will chime in with suggestions for you. Good luck!
We would also like to be able to embed our zendesk help articles as an IFRAME in our application without using an API. It seems like this topic has been brought up again repeatedly. Anyone have an update? or workaround?
We are successfully embedding other iframes, but Zendesk has been problematic.
Hi Andrea! Thanks for checking in!
I imagine this isn't what you're hoping to hear, but our policy on embedding Zendesk into an external iframe hasn't changed since this article was first published. As noted in the article above, there's a security risk that goes along with embedding in an iframe so we don't allow it.
Any chance we can get a configurable ALLOW-FROM domain in each Zendesk instance? This would mean by default the X-Frame-Options header could be DENY, and when an administrator configures *a single domain* to be allowed, the header is changed to allow that domain.
This it not insecure as we're not allowing *any* domain, only the single domain we've configured and we're accepting the responsibility for.
Any possibility of getting this functionality? As mentioned above using the API is a lot of unnecessary UI development.
This is a major issue for myself and will prevent me from purchasing
Hi Jonathan -
Can you tell us more about your use case and why this would be a deal breaker for you?
Hi Nicole,
I need a solution which I can implement myself (primary a designer with a bit of FE knowledge) which can be updated by an operations team. I work in an industry with an incredibly high CPA and we need users to stay within our transactional UI at all times. Sending them to an external site is unfortunately not an option.
Project isn't serious enough to warrant a deeper API connection and therefore an embedded iFrame would be an ideal solution.
Why not allowing embedding iframe of Zendesk product within Zendesk app?
The app is launched as an iframe with source zdusercontent.com - what is the security risk of allowing cross-origin resource sharing with zendesk.com?
It will allow us, for example, set up a Zendesk up in the agents' interface that will open the Guide moderation queue.
Please consider!
You do embed the Zendesk Chat as an iframe in the Chat app within the agent interface.
We would like to have a similar app but with the moderation queue.
Hey Tal! Nice to see you back!
I would think you could do this...here at Zendesk we have our internal Knowledge Base linked in the Support sidebar and it appears in an iframe. I believe it's a private app we developed; I don't think it's available publicly.
You might be able to get some more help over at develop.zendesk.com - that our developer Community. The folks over there will probably have some insight into what needs to be done to accomplish this.
Hi Jessie,
Unfortunately, your Support team specifically said that embedding any page from Zendesk in an iFrame is impossible, even if it's from within a Zendesk app...
So if you do have some private app that can do that it's probably some exception and it's not something we the customers can enjoy.
Too bad - if you found it useful for your own agent to use it internally, why not allow it to your paying customers?
Thanks,
Tal
Hey Tal!
Have you actually tried doing this? I'm just wondering if you've confirmed that it doesn't work. I know we don't allow embedding Help Center in external websites, but I didn't think that applied to to embedding in the agent interface.
Sure, see attached image.
I've tried both with the iFrame app and in an app I wrote - still the same error.
Refer to ticket 3804042
Please sign in to leave a comment.