My addon is meant for Twitter. I inject an iframe and then set its path to a page in my addon. I have tried chrome:// with contentaccessible=true in my chrome.manifest. I tried creating an about page with URI_SAFE_FOR_UNTRUSTED_CONTENT. I tried then to creeate a resource uri that points to the about page. I then tried resource uri pointing to the chrome:// page. All of them give me:
Security Error: Content at https://twitter.com/ may not load or link to resource://tweetereditor/.
Wherever of course the resource://tweetereditor/ is the URL i tried to access. Is there a way to get around this without using a webprogress listener to add to each twitter request the:
headers.push({name: 'Access-Control-Allow-Origin', value: '*'});
Allowing page/content scope access to browser scope can lead to security issues anyway.
How complicated is the content of the iframe?
The more secure method is to generate the content and insert it into the iframe programmatically (ie appendChild() etc)
Related
i have put the meta tag of image source on my domain, for example: http://kawantaman.com
so i put the meta tag of image source on my subdomain also, for example: http://kawantaman.com/questioner
the problem is, when i shared to twitter my subdomain (http://kawantaman.com/questioner), but the image preview of card is redirected to core domain (http://kawantaman.com).
how to share card based on meta tag of my subdomain?
That URL (/questioner) redirects to the main top-level domain in the browser and when using curl, so when a user clicks a link to it on Twitter, the same thing happens. You'll need to fix your site setup.
I have a Rails app that I would like to have customers embed in their website (via an iFrame or similar code) where they can submit a form and potentially view account info.
I currently don't use OAuth, but I was wondering how to log them in safely given the strict same-origin and CORS settings most sites use to prevent clickjacking and such.
My initial thought was giving the iFrame a webpage with a designated token in the url to specify it comes from a valid site but that could easily be copy-pasted by hackers. I'm pretty sure OAuth tries to prevent that but as mentioned I don't have that currently implemented.
By default, Iframe options for rails is restricted to same-origin. If you want to enable to external sites you can do it like this
config.action_dispatch.default_headers = { 'X-Frame-Options' => 'ALLOWALL' }
This is will allow other sites to embed your site. If you want to restrict external sites. You can do that by adding following code it in your base controller.
response.headers["X-FRAME-OPTIONS"] = "ALLOW-FROM http://dummysite.com"
Keep this code in a method and call with before_action
I'm not getting any errors or problems storing cookies on chrome or firefox, but with the default cookie settings on Safari...i seem to get quite a bit of problem with getting cookies to store properly.
I'm doing cross site (rendering an iframe from another domain) so i'm not sure if there is something special i should be doing for this on Safari.
http://prntscr.com/e1yt22
This setting will always make my website work properly and store cookies.
http://prntscr.com/e1ytfc
This setting will however not.
EDIT 1: Someone said to do this
The solution is to access the API/service from a sub-domain, e.g.
“api.somedomain.com”. This should cause Safari to hold onto the cookie
so it can be re-used for the CORS requests.
Will the workaround with subdomain work if both domains are different?
Will I get trouble with cookies if I do this on safari, which doesn't allow 3rd party cookies by default?
example: <iframe src="xyz.example.com"></iframe> inside xyz.com website ?
Or does it have to be like this:
<iframe src="xyz.example.com"></iframe> inside example.com website?
I am helping to create a Rails app that uses Ember for a front end MVC. For the app, it is hosting user content accessed via subdomains. On the subdomains, the user can upload custom JS and CSS. What I'm wondering about is if token authentication on the root domain will be safe if stored in Ember from the custom JS people could upload and run on their subdomains?
Provided the following:
Don't use cookies on *.domain.com or use cookies at all.
They can't run (or really display it unescaped in any way) the JS/CSS on your main site.
The ember app with your token doesn't run on their sub-domain (obviously).
They can't put HTML in a file with a different extension or even Content-Type on your subdomain (or you aren't using cookies). They could direct a user's web browser there and it'd display the HTML. Be wary of phishing though (looks like it's your secure content). I can't imagine you could prevent this easily other than not using cookies -- without 100% ensuring properly formatted JS/CSS which would present all kinds of problems.
You can limit cookies to domain.com and www.domain.com, but I don't recommend it (prone to mistakes). If you don't somebody can make a GET request through CSS or ie. an image tag (not to mention JavaScript) and it'll send the authenticated cookies to your server. Remember unescaped input in their app can leave holes too.
If your token is stored in ember, and they have access to custom JS where the app is running of course it'll leave your token vulnerable. If you run your ember app only on the www.domain.com, avoid cookies, storing the token only locally/in JS, you might be okay.
If they just put HTML code in a file with another extension and direct people there it'll be interpreted as HTML.
Does anyone know why Colorbox is not loading certain pages? I am wanting to load Google Maps on an address I have but it doesn't seem to work. I looked at the examples, and it loads Wikipedia, other known websites, and Bing.com including its maps. It does not load Google, Facebook, Twitter, or Pinterest. Although it does load Tumblr (but opens it up on the parent page and not in the iframe.
So I'm guessing Colorbox doesn't allow social media websites in the iframe? Has anyone had this problem?
Iframe does not load Google, Facebook, Twitter, or Pinterest, is because those sites have "X-Frame-Options: Deny" set on server.
http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#search
Clickjacking Defense: Some hackers try to trick users into clicking buttons that appear to perform safe or harmless functions, but instead perform unrelated tasks. Clickjackers embed malicious code or "redress" the user interface by using transparent frames that overlay specific UI elements with misleading text and images. To help prevent clickjacking, Web site owners can send an HTTP response header named X-Frame-Options with HTML pages to restrict how the page may be framed.
X-Frame-Options: Deny
If the X-Frame-Options value contains the token Deny, Internet Explorer 8 prevents the page from rendering if it is contained within a frame. If the value contains the token SameOrigin, Internet Explorer will not render the page if the top level-browsing-context differs from the origin of the page containing the directive. Blocked pages are replaced with a "This content cannot be displayed in a frame" error page.