Embedding Zendesk into an iframe is not allowed Follow

Zendesk does not allow iframing of Zendesk due to the inherent security risks involved in iframing a web application.

The security risk, UI Redressing, or, as it's more commonly known, "clickjacking", is a class of attack that uses an iframe element on a web page that is actually overlaying another website.

As in the example described in this blog post, users can be lured into thinking that they are accessing a separate website when in fact they are allowing the hacker into a website they've already logged into (their online banking account, for example).

Zendesk prevents the iframing of Zendesk by setting an HTTP header (X-Frame-options) to SAMEORIGIN for all server responses. This policy took effect on June 30th, 2013. 

Have more questions? Submit a request

Comments

  • 1

    Does anyone know if there have been updates to this? The last post was almost a year and a half ago. We wanted to allow iframing of some of our support documentation to allow sales reps to show it in Clearslide, but have found out that doesn't seem to be supported by Zendesk. Any workarounds or updates would be appreciated!

  • 0

    Hey Nicole!

    As far as I can tell, the status of the ALLOWFROM option hasn't changed. Everything that I've seen in my searches indicates that Chrome still doesn't support it, and while Firefox seems to it looks like there's still a bug. Maybe somebody else who is better versed in this type of thing will have more information to share!

  • 1

    We're a SaaS CRM product and are very keen to have our Knowledge Base within our UI to avoid customers having to leave the product for their support needs.

    Are there any other workarounds available here?

  • 0

    Chris,

    Did you consider using the API to embed your content into your product?

  • 0

    Using the API is certainly an option, but represents a substantial effort in UI and integration development, and doesn't really add any value (since the UI would basically be the same as ZenDesk's)

    It seems it would be minimal effort on your end to add the ALLOW-FROM header. Why not just do it, even if it's not supported across all browsers?

    Edited by Arosca
  • 1

    Another option would be for you to make disabling the SAMEORIGIN header a config setting. We do not use ZenDesk as a public-facing tool; we only use it internally. Clickjacking is not a concern for us, but it would incredibly useful to be able to embed ZenDesk into our own web app via an iframe.

  • 1

    Any news on this? There are safe ways to add iframes today and this would be critical functionality for our platform.

  • 0

    What does Zendesk offer as a substitute to using <iframe> code?

  • 0

    Peter, what do you need to do?

    The main options are to use SSO and skin your Help Centre, or just recreate whatever you want in your product using the API.

  • 0

    Tom,

    I don't understand "use SSO and skin your Help Centre", but we were able to embed a YouTube video by deselecting the "Display unsafe content" checkbox in the Help Center settings under Security Settings. The procedure to do that is linked to from Creating and editing articles in the knowledge base.

    Zendesk articles are very helpful to us, but if I had one suggestion, it would be for articles of similar content to be linked together, or consolidated, when there is content overlap between articles. If that had been done in this article, users would know that there is a "workaround" to <iframe> code not being allowed.  

    Thanks,

    Pete

  • 0

    +1000 for improving the clustering of related articles / comments / feedback.

Please sign in to leave a comment.

Powered by Zendesk