I got this question from a fellow MVP (Rod), and we got into a talk about IFrames, Business Central and security.
The question was: Can Microsoft Dynamics 365 Business Central host an external service inside an IFrame on a page as a control add-in?
The idea is great, but for security reasons, it’s not allowed. Pages served from Business Central, has x-frame-options set to SAMEORIGIN.
SAMEORIGIN means, that the browser can use render elements on the page that comes from the origin as the main URL.
But let’s test this, first I’ll create a simple control add-in:
With a bit of Javascript to create an IFrame and add a URL:
Add the control add-in to a random page:
Compile and run!
Zoom in on the error:
If the content of the IFrame was local, it would render without issues, but due to the security restrictions of SAMEORIGIN, you cannot use IFrames in Business Central for external content.
