Stream: javascript
Topic: SMART App opening in new window
Corey Wen (Nov 19 2021 at 13:31):
Hi, I am using the SMART JS Client Library. The current situation is that the SMART app is launching from a CDS card, at which point the EHR opens a new window where the authorization flow begins. After SMART.authorize complete, the app runs into a 'This content cannot be displayed in a frame'.
I found this GitHub issue describing this issue which says the solution is the advanced options.
I believe the issue is with the header 'X-Frame-Options', but I'm not clear on what the value should be.
The https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options mentions two values, DENY or SAMEORIGIN, and it doesn't seem like DENY is the answer so then assuming the 'X-Frame-Options' is present, the app should be able to launch/run from a new window?
I have tried the app with
{completeInTarget: true, target: '_self'}
{completeInTarget: true, target: '_blank'}
{completeInTarget: true, target: 'popup'}
{completeInTarget: true, target: '_top'}
but none of these made any difference.
Might anyone know if advanced options for the SMART client is the correct direction to look, and what the correct configuration of the advanced options might be?
@Vladimir Ignatov Could I get your comment on this issue?
Josh Mandel (Nov 19 2021 at 13:54):
Giving the way that browser cookie policies have evolved (qnd the underlying security and privacy concerns that led to these changes) there are reasons to make sure that a login step does not need to happen inside of an iframe during a smart app launch. This is something we should take into account with the Smart launcher as well as with the JavaScript client libraries.
And by the way, what CDS hooks environment are you launching and up from? Sandbox or a real life implantation?
Vladimir Ignatov (Nov 19 2021 at 14:54):
As you said, "the EHR opens a new window where the authorization flow begins". At this point I assume their expectation is that your app will authorize and render in that same popup, and those advanced options have nothing to do with that (meaning that it should work with the default options). I feel like the reason is indeed in the X-Frame-Options header. Can you check which server is sending that header? If it is under your control, try removing the X-Frame-Options header.
Corey Wen (Nov 19 2021 at 15:22):
Josh Mandel said:
Giving the way that browser cookie policies have evolved (qnd the underlying security and privacy concerns that led to these changes) there are reasons to make sure that a login step does not need to happen inside of an iframe during a smart app launch. This is something we should take into account with the Smart launcher as well as with the JavaScript client libraries.
And by the way, what CDS hooks environment are you launching and up from? Sandbox or a real life implantation?
The app is being launched from a BPA from an Epic sandbox.
Corey Wen (Dec 01 2021 at 18:17):
@Vladimir Ignatov
Does the SMART client attach X-Frame-Options: SAMEORIGIN automatically? If it does, is there a way to disable it?
Vladimir Ignatov (Dec 02 2021 at 15:46):
That is a response header, thus it is "attached" by the server that renders the app. The client has nothing to do with that.
Last updated: Apr 12 2022 at 19:14 UTC
