An OAG application is failing to render a resource in iFrame with browser Developer Tools showing an error such as:

Refused to display '(URL)/' in a frame because it set 'X-Frame-Options' to 'deny'.

• Okta Access Gateway (OAG)

The back-end application's response includes the header "X-Frame-Options: deny", which tells the client browser not to load that resource in iFrame.

• In this example, the issue is occurring due to the back-end application's response including the "X-Frame-Options: deny" header. This should be validated with the application team to understand why it is responding with this header and if there is anything that can be done on the application side to change this part of its response
• On the OAG side, a potential workaround would be to add the following directive to the policy for the relevant resource: 

proxy_hide_header X-Frame-Options;

• This directive tells OAG to hide the "X-Frame-Options" response header (being sent by the back-end application) in OAG's response to the front-end client. As a result, the client may not see "X-Frame-Options: Deny" in the response headers so the client browser will not complain about trying to render the resource in iFrame

• If the issue persists or does not seem to be related to the back-end application sending "X-Frame-Options: Deny", consider reviewing the following:
  • OAG: Unable to SSO in an iframe when Okta Session is Valid 
  • Trusted Origins for iFrame embedding