Hello,
We have developed an ADF application with ADF BC and ADF faces UI on 11.1.1.7 Jdev version.
Since we are advised to set the oracle.adf.view.rich.security.FRAME_BUSTING parameters value to always because of security reasons, we tried setting the same in the web.xml file as below
<context-param>
<param-name>oracle.adf.view.rich.security.FRAME_BUSTING</param-name>
<param-value>always</param-value>
</context-param>
But after setting this where ever we used af:dialog doesn't seems to work. The window is getting launched but no data is displayed in it and no errors in the Jdeveloper log as well.
Please help with some clues/answers
Below is the reason why we set it to always
----------------------------------------------------------
Use the oracle.adf.view.rich.security.FRAME_BUSTING context parameter to use framebusting in your application.
If you configure your application to use framebusting by setting the parameter to always, then whenever a page tries to run in a frame, an alert is shown to the user that the page is being redirected, and then the above code is run, which causes it to be the topmost page, thereby disallowing the page to run in the frame.
Default Value : differentDomain (This setting causes framebusting to occur only if the frame is in a page that is from a different domain than your application. This is the default setting)
In OFSLL14.1, there is no explicit setting defined in web.xml which means default option is being used by the application to allow usage of frames in same domain. Recommended practice is not to allow the frame always whether it is same domain or different domain.
Recommended solution is to use the following security properties in web.xml
<context-param>
<param-name>oracle.adf.view.rich.security.FRAME_BUSTING</param-name>
<param-value>always</param-value>
</context-param>
Usage of always will cause the page to show an error and redirect whenever it attempts to run in a frame.
Regards,
Vinothgan AS