As far as i know, it is the security violation, that the hybris by default recommends, even further it is set strictly with "cross domain origin" restriction. By allowing other domains renders the page inside the i-frame, you are agreed to the clickjacking attacks, as well as inturn referred cross-domain origin issues.
With my experience, we had created a filter that will set x-frame-options to allow-from only the certain domain that the third party want to load intheir i-frame.
You can set ALLOW-FROM *.salesforce.com" on the response header, please remember the default properties that are set by hybris engine, also get appended to the response header. So make sure you disable completely, and take control in the filter that intercepts all the requests coming to the application, and making sure you set the allow-from with specific domain - may atleast stop intruders.
I would check with the security audit experts once you confirm the solution.
Additional Note: please also pay attention to CSRF allowed URL patterns, that depends on your requirements, you can not submit or post any pages directly to hybris server, from i-frame (thirdparty domain , as CSRF restricts the application, and protects from clickjacking).
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.