Best practices for using mashups
Embed Pega content on your website with less effort by following best practices for mashups. Building a guidelines-compliant application results in less issues and saves you time on troubleshooting and fixing errors.
- Specify the host page URL as the trusted origin on the application rule form so
that the mashup host-gadget communication works as intended.
- In the header of Dev Studio, click the name of the application, and then click Definition.
- Click the Integration&security tab, and then
in the Mashup security section, add the URL of your
web page to the allow list for the application by specifying the host,
port and protocol.
- Do not load your mashup with an XHTML Strict doctype because most browsers do not support XHTML.
- Ensure that the Pega software versions match when you embed a mashup in a Pega Platform application.
- Ensure that you disable SameSite cookies by clearing the CSRF (Cross-site
request forgery) token.For more information, see Enabling and configuring Cross-Site Request Forgery settings.
- If you use mashups and the CSRF token is active, add the domains where the
mashup scripts are embedded to the Allowed referrers
field on the Cross-Site Request Forgery landing page.For more information, see Enabling and configuring Cross-Site Request Forgery settings.
- If you enable encryption while generating a mashup and want to pass custom
parameters or dynamic parameters from the host page, either mention all the
required parameters in the mashup channel while generating the mashup code, or
use the following pega.web.api.setAuthenticationParameters
API before the system loads the mashup on the web page:
<script src ='http://samplehost:port /prweb/IAC/?pzuiactionzzz=CXtpbn1iaXB1MndsRVBEMGFReHpjeWEwS1k1ZlNycFcvRUVBQTZPYUxrSjNoL0ZOdnV2QjV4b3ZR%0ARWZuL3ZKdGV5TEtK’ ></script> <script> function loadGadget() { pega.web.api.setAuthenticationParameters("PegaGadget", { UserIdentifier: "XXXX", Password: btoa("YYYYY"), customParam1: “Value1”, customParam2: “Value2” }); pega.web.api.doAction("PegaGadget", "load"); }; </script> <button onclick="loadGadget()">Load the gadget</button> <div id='PegaGadget' data-pega-encrypted ='true' data-pega-encrypted-hash = 'pzuiactionzzz=CXtpbn1wU3DFd1FSaWhOdEhlVjRTZjZ2ZncrWDlDN3dkYmVoL2hNMFkxWDIyTGJJM3hoYkZFTktJ%0Ac1ZTSWlJeVY5U3ZobmNuUDdhWWY0VEZxMlBFVWp1dEZ1ckkwK2JoQzltNm4rckxhRGFKbVd6YzJ4%0Acnd3SUlHTkROdmI4VlNiTlQ4TFBBWnYwa1BQWGRyUldZb3dhRU00S1BXMnpaa1hTSEwvSmdaYjhp%0ARTlxZkIzYlBab2FKU2V0bUlqaUpkSlhJN2I%3D' data-pega-gadgetname ='PegaGadget' data-pega-action ='createNewWork' data-pega-action-param-classname ='PegaSample-Work’ data-pega-action-param-flowname ='pyStartCase' data-pega-isdeferloaded ='true' data-pega-resizetype ='stretch' data-pega-url ='http://samplehost:port/prweb'></div> - Ensure that your mashup displays as intended by not using the
nosniff setting.The nosniff response header prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the content-type that the server declares.
- Do not use the APR connector protocol in a Tomcat container because the
protocol returns an empty POST body to the Pega Platform
engine. Instead, use the correct NIO or NIO2 protocol for the Tomcat
version.For more information, see the Troubleshooting Error adopting from POST body SAXParseException: Content is not allowed in Prolog article on Pega Community.
- Best practices for using multiple mashups
Learn about how Pega Platform supports semantic and non-semantic URLs, and discover the best practices for loading multiple mashups to ensure that your mashups work as intended.
Previous topic Mashup action objects Next topic Best practices for using multiple mashups