If you or your ClientPoint recipients are seeing the message "refused to connect", this means the webpage/URL cannot be iframed per the site security settings.
If you are the owner of the site
If you are the owner of the site and would like to allow your site to be iframed into the ClientPoint experience we recommend adding the following to your site configuration to allow clientpoint.net to iframe the website into the viewer.
To allow an iframe to embed your webpage, you need to modify the HTTP headers sent by your server. To restate, to allow your HTML page to be embedded in an iframe, you won't set the headers directly in the HTML file itself. Instead, this is something handled on the server side.
Here’s how they can allow it by adjusting the X-Frame-Options and Content-Security-Policy headers sent by their server:
1. Allow iframe Embedding with X-Frame-Options Header
They can set the X-Frame-Options header to allow embedding. Options include:
- Allow from any domain (no restrictions):
Note: Not all browsers support ALLOW. It's better to omit this header entirely if you want full embedding.X-Frame-Options: ALLOW
- Allow embedding from specific domain:
This will allow https://clientpoint.net https://clientpoint.co to embed the page in an iframe.X-Frame-Options: ALLOW-FROM https://clientpoint.net https://clientpoint.co
Note: Some browsers may no longer fully support ALLOW-FROM since it's being deprecated in favor of Content-Security-Policy.
2. Using Content-Security-Policy Header
You can use the Content-Security-Policy (CSP) to control iframe embedding more flexibly:
- Allow from any domain:
Content-Security-Policy: frame-ancestors *
- Allow embedding from specific domains:
Content-Security-Policy: frame-ancestors https://clientpoint.net https://clientpoint.co
This policy tells the browser to only allow these specific domains to embed the page in an iframe.
3. No Embedding Restrictions (Allow from anywhere)
Simply remove or avoid setting the X-Frame-Options header and avoid restrictive Content-Security-Policy related to frame-ancestors. For complete openness, you would have:
Content-Security-Policy: frame-ancestors *
Server Configuration Examples:
- For Apache: In your .htaccess file or server configuration, you can add:
Header always set X-Frame-Options "ALLOW-FROM https://clientpoint.net https://clientpoint.co"
- For NGINX: In your server block, add:
add_header X-Frame-Options "ALLOW-FROM https://clientpoint.net https://clientpoint.co";
For full flexibility, using Content-Security-Policy is generally recommended.
If you are NOT the owner
If you are NOT the owner of the site, we recommend setting the webpage/URL to "Open in new tab".