Embedding Zendesk into an iframe is not allowed Follow

Comments

20 comments

  • Avatar
    Nicole Infiesta

    Does anyone know if there have been updates to this? The last post was almost a year and a half ago. We wanted to allow iframing of some of our support documentation to allow sales reps to show it in Clearslide, but have found out that doesn't seem to be supported by Zendesk. Any workarounds or updates would be appreciated!

  • Avatar
    Jessie Schutz

    Hey Nicole!

    As far as I can tell, the status of the ALLOWFROM option hasn't changed. Everything that I've seen in my searches indicates that Chrome still doesn't support it, and while Firefox seems to it looks like there's still a bug. Maybe somebody else who is better versed in this type of thing will have more information to share!

  • Avatar
    Chris Palmer

    We're a SaaS CRM product and are very keen to have our Knowledge Base within our UI to avoid customers having to leave the product for their support needs.

    Are there any other workarounds available here?

  • Avatar
    Christian Colding

    Chris,

    Did you consider using the API to embed your content into your product?

  • Avatar
    Arosca (Edited )

    Using the API is certainly an option, but represents a substantial effort in UI and integration development, and doesn't really add any value (since the UI would basically be the same as ZenDesk's)

    It seems it would be minimal effort on your end to add the ALLOW-FROM header. Why not just do it, even if it's not supported across all browsers?

  • Avatar
    Arosca

    Another option would be for you to make disabling the SAMEORIGIN header a config setting. We do not use ZenDesk as a public-facing tool; we only use it internally. Clickjacking is not a concern for us, but it would incredibly useful to be able to embed ZenDesk into our own web app via an iframe.

  • Avatar
    Legogris

    Any news on this? There are safe ways to add iframes today and this would be critical functionality for our platform.

  • Avatar
    Pete LeRoy

    What does Zendesk offer as a substitute to using <iframe> code?

  • Avatar
    Tom

    Peter, what do you need to do?

    The main options are to use SSO and skin your Help Centre, or just recreate whatever you want in your product using the API.

  • Avatar
    Pete LeRoy

    Tom,

    I don't understand "use SSO and skin your Help Centre", but we were able to embed a YouTube video by deselecting the "Display unsafe content" checkbox in the Help Center settings under Security Settings. The procedure to do that is linked to from Creating and editing articles in the knowledge base.

    Zendesk articles are very helpful to us, but if I had one suggestion, it would be for articles of similar content to be linked together, or consolidated, when there is content overlap between articles. If that had been done in this article, users would know that there is a "workaround" to <iframe> code not being allowed.  

    Thanks,

    Pete

  • Avatar
    Jonathan March

    +1000 for improving the clustering of related articles / comments / feedback.

  • Avatar
    Sergio Negri

    Any news on this? As already stated using API is an unnecessary overhead (and overkill) which does not add any value.

    I tried to allow unsafe content (just to give a try) and the result is the same.

    Thank you

    SN

  • Avatar
    Pete LeRoy

    Sergio,

    Are you using <iframe> tags, or something else?

    Pete

  • Avatar
    Sergio Negri

    Yes Pete, that's what I tried before realizing it was not allowed. Any workaround (apart using API straight?)

  • Avatar
    Pete LeRoy

    If you changed your settings to allow unsafe content, it should allow <iframe> code. When you view the source code, is the <iframe> code being stripped, or is it there, but the video is just not displaying? It could possibly be settings on your PC. Have you checked with others to see if they are able to view the video? Another alternative is to try to use a YouTube code generator tool, like this one: Generate YouTube embed codes. It wraps the video code in <object> tags rather than <iframe> tags. 

  • Avatar
    Sergio Negri

    Console complaints about not being same origin.
    Iframe is stripped.
    I'm not trying to embed a video, I need to embed the whole article.
    If that works I wrote an additional code that removes the header with the logo, but that's another story

  • Avatar
    Pete LeRoy

    Sorry Sergio, I don't have any other suggestions concerning your issue. Hopefully a Zendesk Product Manager will chime in with suggestions for you. Good luck!  

  • Avatar
    Andrea Lindquist

    We would also like to be able to embed our zendesk help articles as an IFRAME in our application without using an API.  It seems like this topic has been brought up again repeatedly.    Anyone have an update?  or workaround?

    We are successfully embedding other iframes, but Zendesk has been problematic.

  • Avatar
    Jessie Schutz

    Hi Andrea! Thanks for checking in!

    I imagine this isn't what you're hoping to hear, but our policy on embedding Zendesk into an external iframe hasn't changed since this article was first published. As noted in the article above, there's a security risk that goes along with embedding in an iframe so we don't allow it.

  • Avatar
    Andrew Sharpe

    Any chance we can get a configurable ALLOW-FROM domain in each Zendesk instance?  This would mean by default the X-Frame-Options header could be DENY, and when an administrator configures *a single domain* to be allowed, the header is changed to allow that domain.

    This it not insecure as we're not allowing *any* domain, only the single domain we've configured and we're accepting the responsibility for.

Please sign in to leave a comment.

Powered by Zendesk