Zendesk does not allow iframing of Zendesk due to the inherent security risks involved in iframing a web application.
The security risk, UI Redressing, or, as it's more commonly known, "clickjacking", is a class of attack that uses an iframe element on a web page that is actually overlaying another website.
As in the example described in this blog post, users can be lured into thinking that they are accessing a separate website when in fact they are allowing the hacker into a website they've already logged into (their online banking account, for example).
Zendesk prevents the iframing of Zendesk by setting an HTTP header (X-Frame-options) to SAMEORIGIN for all server responses. This policy took effect on June 30th, 2013.
11 Comments
Years have passed. Are there changes?
I want to embed my article from the help center to another site.
What about the ability to iframe another resource into an article? This seems necessary.
You should be able to embed another resource into your Help Center article using the source code editor along with some custom CSS in your Guide theme.
I've seen this done on some other Help Centers so if you have a developer team available they should be able to help get this set up.
Let me know if you have any other questions!
I found another post that implicitly answers my question. To embed content into a Zendesk article, you first need to change your settings to "allow unsafe content".
To allow unsafe HTML in HTTP responses
1. In Guide, on the sidebar, click the Settings icon.
2. Under Guide Settings > Security, click Display Unsafe Content check box.
3. Click Update.
With this checked you should be able to embed.
Link to article
The Content-Security-Policy HTTP response header offers a mechanism that could allow this functionality securely.
It seems like there are two different use cases here:
1 - Embedding Zendesk HC resources into an app / website so users can access articles/resources in context. Ideally there would be a Guide Settings > Security option where the admin can disable "X-Frame-options" header.
2 - Embedding potentially unsafe HTML: This could be better managed with a Content-Security-Policy so the account admin / developer could set some parameters on safe/unsafe resources/scripts/css/etc.
I'm working on use case #1 for an Ionic app (iOS, Android, and single page app for web) with one code base. We're not relying on Zendesk for any direct user authentication. Without the X-Frame-Options, we're looking at these workarounds for help center articles:
a) Use the zendesk API to load specific articles
b) Implement the deprecated Support SDK for iOS/Android and classic web widget for web users
c) Implement messaging SDK / web widget, but it seems to be missing some key features around JWT authentication
d) Break context and kick users out of our application into the help center site through a browser or new tab.
e) Use a different CMS for our help articles
Maybe I'm missing something and there's an easier way? I was hoping to simply show the help center in an IFrame with our existing in-app "Contact Support" button at the bottom.
Update: In case it helps anyone, we went with option (a) Zendesk's article API to list and show articles directly in our single page application since iframes are not allowed. We're also experimenting with linking over to help center pages directly in a new tab / browser.
I'm interested in running an A/B test for our Zendesk support site, the program we are using (crazyegg.com) requires the use of iframe. Can we work with a tech team to allow for temporary iframe allowance to complete this test?
Thanks a lot for your question. As we know iframe is not allowed. The reason - is due to the inherent security risks involved in iframing a web application.
However, did you try to use iframe app https://www.zendesk.com/marketplace/apps/support/1/iframe/ ?
The alternative way is to use API for updating your help center - https://developer.zendesk.com/api-reference/help_center/help-center-api/introduction/
Hope it helps
Its cool how ppl snake in with a pretty solution post after its been solved - where do i get those "Zendesk Pro" badges?
We have the guide articles integrated as a repository within a third party widget on our product already. They require an iFrame compatible URL to integrate the chat functionality. Is this possible?
Please sign in to leave a comment.