Greetings,

I am using website viewer widget on case details page and trying to integrate the URL https://google.com in it.

When the page is loaded, the website is not getting loaded and I am getting an error in browser console :

Refused to display 'https://www.google.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'

My ESAPIWafPolicy.xml has the below entries defined

<outbound-rules>

<add-header name="Cache-Control" value="no-cache, no-store" path=".*/|.*\.jsp|.*/jaxrs/.*|.*/api/.*"/>

<add-header name="Content-Security-Policy"

value="default-src 'self' google.com data: blob: https:; font-src 'self' google.com data: blob: https:; img-src 'self' google.com data: blob: https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' google.com; worker-src 'self' google.com; style-src 'self' 'unsafe-inline' google.com; frame-ancestors 'self' google.com"

path="/.*"/>

<add-header name="Referrer-Policy" value="same-origin" path="/.*"/>

<add-header name="Strict-Transport-Security" value="max-age=7776000; includeSubdomains" path="/.*"/>

<add-header name="X-Content-Type-Options" value="nosniff" path="/.*"/>

<add-header name="X-Frame-Options" value="ALLOW-FROM google.com" path="/.*"/>

<add-header name="X-Permitted-Cross-Domain-Policies" value="none" path="/.*"/>

<add-header name="X-XSS-Protection" value="1; mode=block" path="/.*"/>

</outbound-rules>

Please how this can be resolved

Hi,

Have you checked this Tech Note? https://www.ibm.com/support/pages/node/6229174

You can contact support team if you have further issue on this.

Thanks,

Jason