Embedding Zendesk into an iframe is not allowed Follow

Zendesk does not allow iframing of Zendesk due to the inherent security risks involved in iframing a web application.

The security risk, UI Redressing, or, as it's more commonly known, "clickjacking", is a class of attack that uses an iframe element on a web page that is actually overlaying another website.

As in the example described in this blog post, users can be lured into thinking that they are accessing a separate website when in fact they are allowing the hacker into a website they've already logged into (their online banking account, for example).

Zendesk prevents the iframing of Zendesk by setting an HTTP header (X-Frame-options) to SAMEORIGIN for all server responses. This policy took effect on June 30th, 2013. 

Have more questions? Submit a request

Comments

  • 1

    Does anyone know if there have been updates to this? The last post was almost a year and a half ago. We wanted to allow iframing of some of our support documentation to allow sales reps to show it in Clearslide, but have found out that doesn't seem to be supported by Zendesk. Any workarounds or updates would be appreciated!

  • 0

    Hey Nicole!

    As far as I can tell, the status of the ALLOWFROM option hasn't changed. Everything that I've seen in my searches indicates that Chrome still doesn't support it, and while Firefox seems to it looks like there's still a bug. Maybe somebody else who is better versed in this type of thing will have more information to share!

  • 1

    We're a SaaS CRM product and are very keen to have our Knowledge Base within our UI to avoid customers having to leave the product for their support needs.

    Are there any other workarounds available here?

  • 0

    Chris,

    Did you consider using the API to embed your content into your product?

  • 0

    Using the API is certainly an option, but represents a substantial effort in UI and integration development, and doesn't really add any value (since the UI would basically be the same as ZenDesk's)

    It seems it would be minimal effort on your end to add the ALLOW-FROM header. Why not just do it, even if it's not supported across all browsers?

    Edited by Arosca
  • 1

    Another option would be for you to make disabling the SAMEORIGIN header a config setting. We do not use ZenDesk as a public-facing tool; we only use it internally. Clickjacking is not a concern for us, but it would incredibly useful to be able to embed ZenDesk into our own web app via an iframe.

  • 1

    Any news on this? There are safe ways to add iframes today and this would be critical functionality for our platform.

Please sign in to leave a comment.

Powered by Zendesk