Technical references : Administration : Server Hardening : Protecting against clickjacking
Protecting against clickjacking
* 
With the upcoming deprecation of third party cookie support by Google (see Privacy Sandbox for the Web). The Planon Self-service integration support will become deprecated on January 1st 2024. To maintain the same functionality, the link should be opened in a new browser tab instead of using an iframe.
By default, the Planon Web Client is protected against clickjacking. Clickjacking is used to trick the user in clicking and performing an action on a site or application. This is usually done by hiding the real contents by putting a layer on top of the application.
There are two generic implementations to prevent clickjacking: "X-Frame-Options" and "CSP2 header frame-ancestor". They cannot be used out of the box, because both do not support the full set of browsers.
To solve this, Planon implemented a Valve on the Web server, the ClickjackHostValve valve. This valve is specified in the server.xml located in \Server\tomcat-*\conf. It sets runtime the "X-Frame-Options" and the "CSP2 header frame-ancestor" in the header with the correct properties based on the incoming URL.
By default Planon is installed with Planon Web Client setup, allowing only the Web server itself. For Planon Self-Service portal integration, additional configuration is needed. Every portal for which integration is needed requires a DNS alias.
Default installation: Planon Web Client setup
Alternative installation: Planon Self-Service integration setup
* 
For more information about clickjacking in general see Clickjacking. For web applications the issue mainly concerns the IFrame elements.
Portal integration configuration
1. Define DNS aliases for every server for which portal integration is needed.
2. Add a file with the name "portals.txt in …\Server\tomcat-*\conf.
The file must be filled with the DNS aliases and the corresponding URLs. DNS Alias=Portal URL
For example:
planonportal1.company.com=http://portal1.company.com
planonportal2.company.com=http://portal2.company.com
If an incoming URL is in this file, Planon will allow framing from this location. All other URLs that come in should be from same origin, otherwise framing is blocked.
The file will be picked up automatically. A restart of the Web server is not needed.