RadSpell and X-FRAME-OPTIONS

5 posts, 0 answers
  1. Jyoti
    Jyoti avatar
    3 posts
    Member since:
    Sep 2014

    Posted 08 Mar Link to this post

    I am trying to use RadSpell , but  a web.config security setting is not allowing RadSpell to open it's frame popup window. The security setting is a must setting , i can not remove this setting. This setting is to prevent click jacking. ( more on this - https://www.owasp.org/index.php/Clickjacking)

     

     

    Here is my  web config setting.

    <httpProtocol>
          <customHeaders>
            <clear/>
            <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />              
          <add name="X-Frame-Options" value="DENY"/>
            <add name="Content-Security-Policy" value="frame-ancestors 'inherit' " />
            <remove name="X-AspNet-Version" />
           <remove name="X-Powered-By" />

          </customHeaders>
        </httpProtocol>

  2. Marin Bratanov
    Admin
    Marin Bratanov avatar
    3914 posts

    Posted 08 Mar Link to this post

    Hi Jyoti,

    The default RadSpell dialog is a RadWindow and it must use an iframe to load the contents. The X-Frame-Options header with value DENY will prevent any page in your site from being loaded in an iframe.

    Thus, the only solution is to use a browser window for the spell:

    <script>
        function OnClientLoad(sender, args) {
            sender.set_useClassicDialogs(true);
        }
    </script>
    <telerik:RadSpell runat="server" ID="RadSpell1" OnClientLoad="OnClientLoad" ControlToCheck="Textbox1" />
    <asp:TextBox ID="Textbox1" runat="server" Text="miztake" />

    I also added this information to the API reference of the control.

    Regards,

    Marin Bratanov
    Telerik by Progress
    Try our brand new, jQuery-free Angular 2 components built from ground-up which deliver the business app essential building blocks - a grid component, data visualization (charts) and form elements.
  3. Jyoti
    Jyoti avatar
    3 posts
    Member since:
    Sep 2014

    Posted 11 Mar in reply to Marin Bratanov Link to this post

    this is great - but looks like the close button is not working in IE . Can you please check. I do not see any javascript console error in IE.
  4. Marin Bratanov
    Admin
    Marin Bratanov avatar
    3914 posts

    Posted 14 Mar Link to this post

    Hello Jyoti,

    This works fine for me. Can you confirm your IE is not running in Compatibility Mode?

    I can also suggest that you try adding either of the following in a .js file you can point the DialogsScriptFile property to

    • just close the dialog, will not apply changes, however:

      $telerik.$(document).ready(function () {
          $telerik.$("#dialogControl_Cancel").mousedown(function (evt) {
              window.close();
          });
      });
    • attempt to get a reference to the browser window object in a different way by overriding the built-in feature

      Telerik.Web.UI.Spell.SpellDialog.prototype.closeDialog = function (applyChanges) {
          this.prepareClose(applyChanges);
          this._spell.raiseEvent("clientDialogClosing", Sys.EventArgs.Empty);
          var wnd = Telerik.Web.UI.Dialogs.CommonDialogScript.get_windowReference();
          wnd.close();
          window.close();//try adding this
      }

    Regards,

    Marin Bratanov
    Telerik by Progress
    Try our brand new, jQuery-free Angular 2 components built from ground-up which deliver the business app essential building blocks - a grid component, data visualization (charts) and form elements.
  5. Jyoti
    Jyoti avatar
    3 posts
    Member since:
    Sep 2014

    Posted 16 Mar in reply to Marin Bratanov Link to this post

    I am Using IE 11 ( browser is not in compatibility mode) . But above code did work . Thanks a Lot.
Back to Top