I am trying to move a FileMaker Server-powered, SuperContainer-using web site to a new, dedicated, virtual server hosted by Triple8. Tech support there strongly warns me against hosting web sites from a FMS server. I understand their concern and know that it's easy to just point to the FMS machine from the separate web hosting machine.

But SuperContainer really complicates this. Suppose a website, "exampleA.com", is trying to serve a page that wants to display an image generated by SuperContainer on the FMS machine, which has domain exampleB.com. The image tag on the page served from exampleA.com would read something like

<img src="http://exampleB.com/SuperContainer/Files/fileID/">

I have also used iFrames, such as 

<iframe src="http://exampleB/SuperContainer/RawData/fileID "> </iframe>

Neither will display on the exampleA.com server because of normal security restrictions. The exampleB computer does not allow its resources to be displayed by iframes of another domain, and the exampleA.com server won't display <img>'s that are not in its web root directory. 

So what should I do? My initial intent was to host the website from the FMS machine. But I know they are right that FMS is a rather problematic web hosting system.

By default, FMS adds an extra http header to all content served from the built in web server. The extra header is "X-Frame-Options" and is set to "SAMEORIGIN".

This is done to prevent webdirect being included in other pages. You can go in and modify that if you like. In IIS manager, select the FMWebSite, then the HTTP Response Headers, and you can remove it from there.

Also, make sure if your main website is served via https, that the iframe references are also served via https.

Mike

Would that help <img> tags, too? The X-Frame-Options is for iFrames.

I suppose not, but have you looked at it with the dev tools in your browser? Just to make sure the path is correct?

I abandoned the idea of serving the website from a computer separate from Filemaker. But this comment by Mike was super-helpful:

Quote

Also, make sure if your main website is served via https, that the iframe references are also served via https

Documents were not showing their icons until I changed the base URL for SC to https. Now all's well.

On 9/26/2017 at 11:42 AM, Mike Duncan said:

By default, FMS adds an extra http header to all content served from the built in web server. The extra header is "X-Frame-Options" and is set to "SAMEORIGIN".

This is done to prevent webdirect being included in other pages. You can go in and modify that if you like. In IIS manager, select the FMWebSite, then the HTTP Response Headers, and you can remove it from there.

Also, make sure if your main website is served via https, that the iframe references are also served via https.

Mike

This worked. This fall we moved to a two-machine deployment, with the web server and all the PHP files on a domain separate from the FMS machine. On the FMS machine I did as Mike wrote and now our <iframe> display of SuperContainer docs is working. (Both machines have to have legit SSL custom certs.)