Embedding Zendesk into an iframe is not allowed

Have more questions? Submit a request

38 Comments

  • Jessie Schutz
    Comment actions Permalink

    Hey Tal!

    Interesting. I see that my colleague Tod has taken over your ticket; you're definitely in good hands. He's been conferring with some folks internally, so we'll continue to help you out there!

    0
  • Larry Click
    Comment actions Permalink

    No change to this policy per my most recent ticket. It would be good that our users don't have to leave our app to get help. It makes for a more confusing user experience. 

    Not happy about this.  We don't want to have to replicate all the information we already have on Zendesk on another website just so we can access it in-app.

    0
  • Jcoy
    Comment actions Permalink

    We have a specific use case where we would really like some form Andrew Sharpe's idea implemented (configurable origin settings to allow a single domain to embed the Zendesk app in an iframe).

    I understand the technical challenges on your side of the fence, but this would be a huge benefit to our company and customers.

    Our particular use case is the following: I actually DO want to perform a cross-site scripting scenario where my application sends javascript and manipulates form data on the ticket creation page.  I have already setup the proper javascript communication where the origin is checked at both ends (so security should not be an issue in that regard).  The problem that I can't overcome is the Zendesk server ALWAYS responding with an X-Frame-Options: SAMEORIGIN header.

    All we need is the ability to configure the following header:

    X-Frame-Options: allow-from https://ourdomain.com/

    This doesn't pose any more of a security risk than what is already inherent in our application.  As a developer, I don't buy the "for security reasons" line.  I DO understand that it may require development effort on your side to allow configurable header options per server instance.  However, I know that that effort is far less for you than if would be for your many customers who want to have this functionality and are forced into the API/custom UI approach you seem to want everyone to use.

    Please just let us configure the response headers per server (or at least this one header option).  It's really not a huge undertaking for you guys and it will save a lot of your customers a good bit of development time and headache.  No one wants to write a UI to display what Zendesk so wonderfully provides.

    Thank you for reading this.

    Technical info on the X-Frame-Options header.

    1
  • Kaloyan Todorov
    Comment actions Permalink

    +1

    1
  • w w
    Comment actions Permalink

    There is a workaround.

    On your server, you have to create a proxy endpoint, (ex: https://myzendeskproxy.myproduct.com

    It will forward all the traffic to Zendesk, but you can cut out X-Frame-Options header from all responses.
    Moreover, you will have to analyze the body of the response (from Zendesk), and replace all the references of the Zendesk domain, with your proxy address.

    Then you can easily integrate Zendesk, to any iframe you want


    And thanks Zendesk team, for such a great and convenient product! You are doing a great job! well done!

    -2
  • falk.brauer
    Comment actions Permalink

    +1

    0
  • Brett - Community Manager
    Comment actions Permalink

    Thanks for taking the time to share this with us Cakra!

    0

Please sign in to leave a comment.

Powered by Zendesk