alternative to <iframe>

Our latest PCI scan told us we had to the X-frame-options setting to our apache config in order to prevent clickjacking attacks. Doing so breaks some services we provide for our own use on other web servers where we need to show data from our iSeries in a frame on a page. Sharepoint is one such place where we use an iframe that points to an iSeries URL that returns html code to be displayed in the frame. In one instance that shows a student their faculty's office hours and office location. A service we need to still provide but we x-frame-options set on the iSeries apache server will deny the request. We looked into the setting on the x-frame-option that is supposed to allow this to work for a single defined remote server but not all browsers support that extension and we have 3 different servers that all use iframes in a similar fashion. One of them is even a cloud service. The only options we have come up with so far are not great. One is to replace the iframe with a link that when clicked opens a small window with the data. And another is to generate the html code once a day for each possible faculty member and send individual html files to the remote server and have the remote server point to itself in the iframe


Mike Cunningham
VP of Information Technology Services/CIO
Pennsylvania College of Technology