I want to embed an iframe in the popup of a firefox extension but I get "Firefox Can’t Open This Page - To protect your security, www.example.com will not allow Firefox to display the page if another site has embedded it." and it is because the site example.com has configured the Content-Security-Policy with frame-ancestors 'self'. I can change it to frame-ancestors * but I would like something less broad.
It depends what origin your popup window has (what is specified in <iframe src= or in <iframe srcdoc=)
Some origins is a subject of CSP regulation, the other is not. For example, vendor's schemes like moz-extension: / chrome: should bypass the CSP.
Also the 'self' token can be very insidious:
,----------------- parent HTTP://example.com --------------------,
| |
| * Host-source is HTTP://example.com with the HTTP: scheme |
| |
| <iframe src='HTTPS://example.com'> |
| Content-Security-Policy: frame-ancestors 'self' |
| |
| * 'self' would be substituted by HTTPS://example.com, it |
| means that you actually have the header: |
| Content-Security-Policy: frame-ancestors HTTPS://example.com |
| therefore it will block embedding into parent with |
| HTTP://example.com because of schemes mismatch |
| (HTTP: !== HTTPS:) |
| |
| <iframe> |
|________________________________________________________________|
But the opposite situation (parent with HTTPS: and iframe with HTTP:) will not cause problems in CSP3 browsers (but will cause in CSP2 ones).
In case of IIS you need to change X-FRAME-OPTIONS header from "Deny" to "SAME-ORIGIN" or add the X-FRAME-OPTIONS if it does not exist. To do that:
Open IIS Manager and on the left hand tree, left click the site you would like to manage.
Doubleclick the “HTTP Response Headers” icon.
Right click the header list and select “Add”
For the “name” write “X-FRAME-OPTIONS” and for the value write in your desired option e.g. “SAME-ORIGIN”.
Related
One of my iframe is not working/loading in IOS only (mobile and emulator) while it is working fine android/chrome/safari.
It happens to only one iFrame, while a second is working (in IOS).
I have the following message error:
webPageProxy::didFailProvisionalLoadForFrame: frameId = 26, domain = nsurlErrorDomain, code: -999.
I have implemented both answer from stackoverflow:
Ionic iframe loading not fully working on iOS
iframe is not working in iOS (ionic framework)
Plus i have sanitize the url of the iFrame.
Nothing seems to work, the iFrame is white.
The url I am passing (in case it is working:)
https://preprod-tpeweb.paybox.com/cgi
The url I am passing (in case it is not working
https://secure-test.dalenys.com/front/form/process
These two urls are from action POST form, with an iFrame as a target.
Do you have any idea what to do ? Would it be possible that the host has badly set its website ?
Would it be possible that it comes from the fact that the iFrame has this error:
Indicate whether to send a cookie in a cross-site request by specifying its SameSite attribute ?
update:
We had the following error: “Refused to load https://secure-magenta1.dalenys.com/front/form/process because it does not appear in the frame-ancestors directive of the Content Security Policy.”
We had the following error:
“Refused to load https://secure-magenta1.dalenys.com/front/form/process because it does not appear in the frame-ancestors directive of the Content Security Policy.”
The CPS, from my understanding is what securized your website of being embedded by another one.
And indeed the third party request header CSP frame-ancestors is set to:
Content-Security-Policy : default-src * 'unsafe-inline'; frame-ancestors * gap:; img-src * data:
To allow IOS in app browser to access by an iFrame to this request, just either:
remove frame-ancestors. Which would give in our case: Content-Security-Policy : default-src * 'unsafe-inline'; img-src * data:
allow ionic capacitor, by changing the CSP by: Content-Security-Policy : default-src * 'unsafe-inline'; frame-ancestors * gap: capacitor:; img-src * data:
note: I do not recommend to use the wild-card in standalone with frame-ancestors because it is the same as using default configuration. Plus it seems that the in app browser IOS is not able to read it. It is just the third party that set it this way.
I am trying to allow others embed pages from my rails app on many websites. I can get it to work in Chrome and Firefox using X-Frame-Options. Is there a content security policy that is equivalent
response.headers['X-Frame-Options'] = "ALLOW-FROM *"
Here is the bit using X-Frame-Options
class PeopleController < ApplicationController
def embed
response.headers['X-Frame-Options'] = "ALLOW-FROM *"
#company = People.new
end
end
But does not work, when using content security policy in both Chrome and Google when i use content security policy
class PeopleController < ApplicationController
content_security_policy do |p|
p.frame_ancestors "self", "*"
end
def embed
#company = People.new
end
end
When using Content Security Policy, it throws this error:
Refused to frame 'http://localhost:3000/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors self".
and this is an example of the embed code:
<iframe src="http://localhost:3000/people/embed"></iframe>
and this is another one I tried:
<iframe src="/people/embed"></iframe>
Update
With content-security policy, this works only on Firefox:
content_security_policy do |p|
p.frame_ancestors 'self', "*"
end
Modern Chrome and Firefox do not support ALLOW-FROM key in the X-Frame-Options header. You can publish X-Frame-Options: ALLOW-FROM ### or X-Frame-Options: ALLOW-FROM http://example.com - they restrict nothing, headers with ALLOW-FROM key be just ignore by browsers.
If you wish to allow iframing for unlimited domains, it's easier not to publish X-Frame-Options header (and frame-ancestors directive) at all.
If you have a counted set of allowed domains you can use CSP header with frame-ancestors domain1 domain2 ... domainN;.
When using Content Security Policy, it throws this error: ... because an ancestor violates the following Content Security Policy directive: "frame-ancestors self"
This error means that you really published frame-ancestors 'self', not frame-ancestors 'self' * as expected.
Maybe you published two different CSP headers at the same time, maybe you have error in code. You can check what CSP header you actually got in browser.
Note 1: 'self' token should be a single-quoted - use "'self'" string in code.
Note 2: 'self' token commonly covers standard ports 80/443 only, it's not cover http://localhost:3000 (it's browser's depend). An asterisk * does cover any port numbers.
Using Grails 2.3.11 I've run into a problem regarding dynamic URL mapping properties.
Unfortunately one of the plugins i'm depending on has a dynamic mapping for HTTP 500 status code - that is:
"500"('/error')
In my own URL mapping I wish to map this to a controller - but no matter what I do, it ignores MY URL mapping and the dynamic one from the plugin is used.
"500"(controller: "fejl", action: "systemfejl")
When running "url-mappings-report" it prints out the two mappings:
Dynamic Mappings
| * | /${controller}/${action}?/${id}? | Action: (default action) |
| * | ERROR: 500 | View: /error |
Controller: fejl
| * | ERROR: 403 | Action: ingenAdgang |
| * | ERROR: 404 | Action: findesIkke |
| * | ERROR: 500 | Action: systemfejl |
The only way I can override the defined mapping from the plugin, is by defining my own "error.gsp" file and place it in the root of the "views" folder.
Is it possible in anyway to ignore urlmappings from plugins? I'm guessing this is not working as intended as URL mappings from the application should take precedent.
I have an asp.net-mvc site and I have a case where I have a very long querystring in a URL. This was previously not an issue but I am suddenly getting this error in a few cases:
404-File or director not found - the resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.
I haven't proven that its due to url length but the reason I am assuming that this is related to length of querystring is that if I selected remove certain parts of the query string it works fine and I have gone through each section (to identify of part of the query string is "corrupt"
I am able to reproduce this error in my example that has a total url length of 2805 characters. Is this expected? I see the issue in both Firefox and Internet Explorer.
The reason I ask is that from my googling, it seems like IIS throws a different error when querystring is too long (415 or 414 error as described here)
Is this something that is set on the server side? in the web.config?
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxQueryString="xxxx"/>
</requestFiltering>
</security>
</system.webServer>
See
http://www.iis.net/ConfigReference/system.webServer/security/requestFiltering/requestLimits
https://msdn.microsoft.com/en-us/library/e1f13641(v=vs.100).aspx
Per MSDN:
When request filtering blocks an HTTP request because an HTTP request exceeds the request limits, IIS 7 will return an HTTP 404 error to the client and log one of the following HTTP statuses with a unique substatus that identifies the reason that the request was denied:
| HTTP | Substatus Description |
|---------|---------------------------|
| 404.13 | Content Length Too Large |
| 404.14 | URL Too Long |
| 404.15 | Query String Too Long |
FYI - 2048 is generally considered the highest cross-browser limit for a URL length.
It seems like IIS throws a non-standard 404.15 error code for very long query strings. This is probably overshadowed by the default error handler and the actual error is mapped to bare 404 error.
Read this for details:
http://www.iis.net/configreference/system.webserver/security/requestfiltering/requestlimits
Assume that I have a list of URLs, each URL returns code 200 or 404.
How can I extract HTTP response code from these URLs?
Is there a function like importHTML, but it checks response code only?
|A |B |
-+-------------------------------+------------------------+
1|URL |response code |
-+-------------------------------+------------------------+
2|http://example.com/huge1.tar.gz|=importHTMLResponse($A2)|
3|http://example.com/huge2.tar.gz|=importHTMLResponse($A3)|
4|http://example.com/huge3.tar.gz|=importHTMLResponse($A4)|
...
You would have to right a proxy service to a known url then
importHTMLResponse(http://MYPROXYSERVER/reponsecode?url=$A2)
or something similar.
The proxy service would run what ever language you are comfortable with and just hit the supplied url returning the status code.