“Control Add In” in Business Central: why iframes are not a good idea?

BUSINESS CENTRAL CONTROL ADD IN IFRAMES

Most of Business Central Control AddIns sample I found on the internet mostly uses the <IFRAME> to embed an external webpage or website inside Business Central page.

This solution is pretty common because it allows to easily and quickly embed the page just by using the <iframe> tag.

With the iframe the business central webpage (https://businesscentral.dynamics.com/) just embeds your own webpage (https://www.yoursite.com)

But <iframes> have a major problem. They allow cross site javascript scripting between the parent and the iframe page but they does not allow the scripting on the other direction. This is prevented for security reason, as often happens with iframes.

On the past cross scripting was used to get private information, it was enough just to embed any bank website inside an iframe to access all of its information from the parent page. So, just embedding the login page in an iframe, allowed malicious users to access credentials entered in the login page.

This means that, by using iframes, the browser JavaScript’s engine does not allow cross site scripting.

In my previous article I used in fact a different approach to implement a control addin.

“Control Add In” in Business Central: a responsive web app fully integrated in web client and mobile app:

https://businesscentraldotblog.wordpress.com/2021/02/26/control-add-in-in-business-central-a-responsive-web-app-fully-integrated-in-web-client-and-mobile-app/

With the correct solution I used this piece of code to embed an external static resource on my BC page:

I first included: ‘https://cdnjs.cloudflare.com/ajax/libs/knockout/3.4.2/knockout-debug.js&#8217;,

Then I loaded the page with this AJAX function :

$.ajax({ url: url, xhrFields: { withCredentials: true } )).done(function(data) { $(“#controlAddIn).text(data); });

REFERENCES: SOLUTION NOT USING FRAMES

https://docs.microsoft.com/en-us/dynamics365/business-central/dev-itpro/developer/devenv-control-addin-object

REFERENCES: SOLUTIONS USING FRAMES

LAST UPDATED

27th of February, 2021

One thought on ““Control Add In” in Business Central: why iframes are not a good idea?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s