Telerik Forums / UI for ASP.NET AJAX
This is a migrated thread and some comments may be shown as answers.

RadSpell and X-FRAME-OPTIONS

4 Answers 370 Views
Spell
This is a migrated thread and some comments may be shown as answers.
Jyoti
Top achievements
Rank 1
Jyoti asked on 08 Mar 2017, 02:22 PM

I am trying to use RadSpell , but  a web.config security setting is not allowing RadSpell to open it's frame popup window. The security setting is a must setting , i can not remove this setting. This setting is to prevent click jacking. ( more on this - https://www.owasp.org/index.php/Clickjacking)

 

 

Here is my  web config setting.

<httpProtocol>
      <customHeaders>
        <clear/>
        <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />              
      <add name="X-Frame-Options" value="DENY"/>
        <add name="Content-Security-Policy" value="frame-ancestors 'inherit' " />
        <remove name="X-AspNet-Version" />
       <remove name="X-Powered-By" />

      </customHeaders>
    </httpProtocol>

4 Answers, 1 is accepted

Sort by
0
Marin Bratanov
Telerik team
answered on 08 Mar 2017, 05:13 PM

Hi Jyoti,

The default RadSpell dialog is a RadWindow and it must use an iframe to load the contents. The X-Frame-Options header with value DENY will prevent any page in your site from being loaded in an iframe.

Thus, the only solution is to use a browser window for the spell:

<script>
    function OnClientLoad(sender, args) {
        sender.set_useClassicDialogs(true);
    }
</script>
<telerik:RadSpell runat="server" ID="RadSpell1" OnClientLoad="OnClientLoad" ControlToCheck="Textbox1" />
<asp:TextBox ID="Textbox1" runat="server" Text="miztake" />

I also added this information to the API reference of the control.

Regards,

Marin Bratanov
Telerik by Progress
Try our brand new, jQuery-free Angular 2 components built from ground-up which deliver the business app essential building blocks - a grid component, data visualization (charts) and form elements.
0
Jyoti
Top achievements
Rank 1
answered on 11 Mar 2017, 08:44 PM
this is great - but looks like the close button is not working in IE . Can you please check. I do not see any javascript console error in IE.
0
Marin Bratanov
Telerik team
answered on 14 Mar 2017, 04:28 PM

Hello Jyoti,

This works fine for me. Can you confirm your IE is not running in Compatibility Mode?

I can also suggest that you try adding either of the following in a .js file you can point the DialogsScriptFile property to

  • just close the dialog, will not apply changes, however:

    $telerik.$(document).ready(function () {
        $telerik.$("#dialogControl_Cancel").mousedown(function (evt) {
            window.close();
        });
    });
  • attempt to get a reference to the browser window object in a different way by overriding the built-in feature

    Telerik.Web.UI.Spell.SpellDialog.prototype.closeDialog = function (applyChanges) {
        this.prepareClose(applyChanges);
        this._spell.raiseEvent("clientDialogClosing", Sys.EventArgs.Empty);
        var wnd = Telerik.Web.UI.Dialogs.CommonDialogScript.get_windowReference();
        wnd.close();
        window.close();//try adding this
    }

Regards,

Marin Bratanov
Telerik by Progress
Try our brand new, jQuery-free Angular 2 components built from ground-up which deliver the business app essential building blocks - a grid component, data visualization (charts) and form elements.
0
Jyoti
Top achievements
Rank 1
answered on 16 Mar 2017, 12:44 PM
I am Using IE 11 ( browser is not in compatibility mode) . But above code did work . Thanks a Lot.
Tags
Spell
Asked by
Jyoti
Top achievements
Rank 1
Answers by
Marin Bratanov
Telerik team
Jyoti
Top achievements
Rank 1
Share this question
or