Would like to check whether anyone has experience with screen pop-ing Dynamics CRM web page within Finesse ?
Currently we are looking at the Screenpop gadget to load the Dynamics CRM within the Finesse iFrame and CallVariables will be passed to the CRM via QuerySrings in the URL. However, customer is concerned on Security ...
However, we found the following info so we would like to check whether MS Dynamics CRM supports the below ?
It is recommended that you *not* use an iframe in a Finesse gadget, use it only as a last resort.
Some web sites will not work in an iframe. Google, for example, blocks displaying a Google Search page in an iframe.
Just because a site allows itself to be loaded in an iframe now, does not mean it will be supported by the web site in the future.
Running a web site in an iframe is considered poor security, as the containing page could access credentials from the iframe page.
Instead use the gadgets.io.makequest function to access a web app using its REST API.
Note: You cannot display a web page returned via the makerequest as there will be cross domain scripting issues with it.
See the WebServicesSampleGadge here: https://github.com/CiscoDevNet/finesse-sample-code/tree/master/WebServiceSampleGadget
the format for gadgets.io.makerequest is:
gadgets.io.makerequest(url, callback, opt_params);
The function fetches content from the provided url and feeds that content into the callback function.
Content should be of type JSON or XML that you then dynamically add to the gadget html.
You should not use gadgets.io.makerequest to display a web page, rather to retrieve JSON or XML from a web site that provides a REST API.
Due to cross domain scripting issues a Finesse gadget will not be able to display a web page within a gadget.
To clarify, Partner wants to display the entire Dynamics screen pop using iFrame within Finesse however customer has concerns on security side ...
Does passing a query using SSL and certificates address this concern ? We would like to check if there are any other better methods, if not then we need to get back to customer that this is the best way ..
Let me try to expand on the original explanation…
Architecturally, the Finesse Desktop (Container) uses Shindig<https://shindig.apache.org/> to render the Gadgets into the UI. Each Gadget is rendered as an iFrame. This is done to give each Gadget its own little “sandbox” to run within without interacting neither with the Container nor the other Gadgets.
Many Web Applications protect themselves from a vulnerability called “Clickjacking<https://www.owasp.org/index.php/Clickjacking>” by adding X-Frame-Options in the Header to prevent that Web Application from being hosted in an iFrame. Clickjacking is where a hacker puts up a website that simply wraps the entire targeted Web Application in an iFrame, so that they can intercept the keys being pressed. It is in this way that they can steal the User’s account information and/or anything they enter into the targeted Web Application. Current browsers do support an ALLOW-FROM X-Frame-Option<https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#X-Frame-Options_Header_Types> that would allow saying that the Web Application can be loaded in an iFrame, but only when in a different Web Application (like the Finesse Desktop). Since you don’t actually “own” the target Web Application here (MS Dynamics CRM) you probably couldn’t influence any X-Frame-Options that they have (if they have them).
The first step is to run MS Dynamics CRM, pop open a Browser Debugger, and look for something like this:
If there are no X-Frame-Options specified, then you are golden. There is no real Security Issue with putting it into the Gadget (as it is their Gadget). If there are no X-Frame-Options, then the Security Risk is already there and it wouldn’t be something you are exposing by putting it into a Gadget. If the X-Frame-Options is already there, they could approach Microsoft to ask if it could be modified to add an ALLOW-FROM or something. It really wouldn’t be a Security Issue in this case because it would only be allowed within the Finesse Desktop. However, if the only way to get this to work is to turn off X-Frame-Options completely, then that would be a Security Issue because someone else could throw together a website to Clickjack that implementation.
The other alternative that was originally recommended would be to utilize the API’s that MS Dynamics CRM uses, and recreate functionality in the form of a Gadget within Finesse. However, I am certain MS Dynamics CRM is quite complex, so doing this probably isn’t practical.
One final alternative is possibly to use Finesse’s Worfklow capability to “Screen Pop” a MS Dynamics CRM screen. I don’t have any idea if they have or allow this, but some Web Applications allow you to launch them with query parameters to cause the Screen to open to a particular place. Going back to my original Google example, I can do something like this: https://www.google.com/search?q=Can I screen pop in MS Dynamics CRM<https://www.google.com/search?q=Can%20I%20screen%20pop%20in%20MS%20Dynamics%20CRM%20>. Maybe MS Dynamics CRM allows this as well, and you could use the Workflow to pop to it.
Technical Leader & Finesse Architect
CBABU - Contact Center Software Development
Thanks gary, this is the most insightful response received by me & Partner feedback the same.
Customer who is a Ministry in Singapore has concur with the point on the X-Frame-Options from their side.
At the same time, Partner will testing out the Finesse Workflow capability for the screenpop ..
Thanks for the help again!