I own a website where people create things and embed it on their website. Let's call it "mysite.com".
A user can create a page like "mysite.com/1" and embed it on their website, "acceptable.com". How can I prevent some other site like "forbidden.com" from being able to display "mysite.com/1" in an iframe?
tl;dr How can I make a "whitelist" for sites trying to iframe my own site?
In general, you can send an X-Frame-Options header with your server response that provides for the following options:
DENY
The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself.
ALLOW-FROM uri
The page can only be displayed in a frame on the specified origin.
https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
To do this in rails, you can set (source) for all pages
config.action_dispatch.default_headers.merge!({'X-Frame-Options' => '[OPTION HERE]'})
or for only certain pages, see How to override X-Frame-Options for a controller or action in Rails 4
Related
I have a Rails app that I would like to have customers embed in their website (via an iFrame or similar code) where they can submit a form and potentially view account info.
I currently don't use OAuth, but I was wondering how to log them in safely given the strict same-origin and CORS settings most sites use to prevent clickjacking and such.
My initial thought was giving the iFrame a webpage with a designated token in the url to specify it comes from a valid site but that could easily be copy-pasted by hackers. I'm pretty sure OAuth tries to prevent that but as mentioned I don't have that currently implemented.
By default, Iframe options for rails is restricted to same-origin. If you want to enable to external sites you can do it like this
config.action_dispatch.default_headers = { 'X-Frame-Options' => 'ALLOWALL' }
This is will allow other sites to embed your site. If you want to restrict external sites. You can do that by adding following code it in your base controller.
response.headers["X-FRAME-OPTIONS"] = "ALLOW-FROM http://dummysite.com"
Keep this code in a method and call with before_action
My addon is meant for Twitter. I inject an iframe and then set its path to a page in my addon. I have tried chrome:// with contentaccessible=true in my chrome.manifest. I tried creating an about page with URI_SAFE_FOR_UNTRUSTED_CONTENT. I tried then to creeate a resource uri that points to the about page. I then tried resource uri pointing to the chrome:// page. All of them give me:
Security Error: Content at https://twitter.com/ may not load or link to resource://tweetereditor/.
Wherever of course the resource://tweetereditor/ is the URL i tried to access. Is there a way to get around this without using a webprogress listener to add to each twitter request the:
headers.push({name: 'Access-Control-Allow-Origin', value: '*'});
Allowing page/content scope access to browser scope can lead to security issues anyway.
How complicated is the content of the iframe?
The more secure method is to generate the content and insert it into the iframe programmatically (ie appendChild() etc)
I'm about to add an ssl certificate to a rails application hosted on heroku, so I can activate stripe payments.
The main function of our app is to let users create embeddable widgets. The widgets are essentially iframes of the views for the objects they're creating in our rails app.
The vast majority of our users' sites are using http, and I'm concerned that if we switch our app domain to https, the iframed widgets they've embedded would stop working.
Is it possible to have a secured domain name for our app, and let the users embed widgets that iframe parts of the app with source urls using just http?
You could only enforce SSL on certain routes.
scope constraints: { protocol: "https" } do
# routes you'd like secured
end
Then, don't enable force_ssl for the entire site and the other components should be unsecured.
An iframe that points to an http:// URL should just get redirected to https:// , so I forsee no problems there.
If you have a form with an action attribute as http://, that could be a problem, as a redirect won't take with it POST data.
Does anyone know why Colorbox is not loading certain pages? I am wanting to load Google Maps on an address I have but it doesn't seem to work. I looked at the examples, and it loads Wikipedia, other known websites, and Bing.com including its maps. It does not load Google, Facebook, Twitter, or Pinterest. Although it does load Tumblr (but opens it up on the parent page and not in the iframe.
So I'm guessing Colorbox doesn't allow social media websites in the iframe? Has anyone had this problem?
Iframe does not load Google, Facebook, Twitter, or Pinterest, is because those sites have "X-Frame-Options: Deny" set on server.
http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#search
Clickjacking Defense: Some hackers try to trick users into clicking buttons that appear to perform safe or harmless functions, but instead perform unrelated tasks. Clickjackers embed malicious code or "redress" the user interface by using transparent frames that overlay specific UI elements with misleading text and images. To help prevent clickjacking, Web site owners can send an HTTP response header named X-Frame-Options with HTML pages to restrict how the page may be framed.
X-Frame-Options: Deny
If the X-Frame-Options value contains the token Deny, Internet Explorer 8 prevents the page from rendering if it is contained within a frame. If the value contains the token SameOrigin, Internet Explorer will not render the page if the top level-browsing-context differs from the origin of the page containing the directive. Blocked pages are replaced with a "This content cannot be displayed in a frame" error page.
I want to differentiate between a new tab or new window request and simple request (i.e page opening in the same tab) on server or client side in MVC .net?
actually, we are nor using content placeholders in the layout page. we have div in it and child pages are loaded in it.so child aspx pages don't have Master page specified for them.
so when a new tab is opened for page, our master page is not attached to it, so all look and feel is lost.
now I want to identify a tab request #server side so as to send the required page with layout page.
I tried using Request.refferer to find the presence of master page, but the absolute URI is not always same for Firefox and IE
Current Scenario =>
1) Simple request : controller => Action => returns with Master page
2) Request generated when the user right clicks on the link and opens new tab:
controller=>ActionName => returns view without master page attached
The HTTP header fields have a fair amount of information in them, but whether or not the request originated from a new window is not included. Based on your question it sounds like you are using a lot of client side code for content retrieval and rendering - Ajax.
Assuming that is the case your best bet is looking at the nonstandard HTTP request field X-Requested-With:
mainly used to identify Ajax requests. Most JavaScript frameworks send this header with value of XMLHttpRequest
In ASP.NET MVC you can use the Request.IsAjaxRequest extension method to poke at this field. In this manner if a link is opened in a new window you can return the full page Site.Master and all. When the request is your expected behavior you'll know because it is an Ajax request.
That said, I'd recommend working on the way that you are rendering content and look up information on progressive enhancement.