Does anyone know why Colorbox is not loading certain pages? I am wanting to load Google Maps on an address I have but it doesn't seem to work. I looked at the examples, and it loads Wikipedia, other known websites, and Bing.com including its maps. It does not load Google, Facebook, Twitter, or Pinterest. Although it does load Tumblr (but opens it up on the parent page and not in the iframe.
So I'm guessing Colorbox doesn't allow social media websites in the iframe? Has anyone had this problem?
Iframe does not load Google, Facebook, Twitter, or Pinterest, is because those sites have "X-Frame-Options: Deny" set on server.
http://msdn.microsoft.com/en-us/library/cc288472(v=vs.85).aspx#search
Clickjacking Defense: Some hackers try to trick users into clicking buttons that appear to perform safe or harmless functions, but instead perform unrelated tasks. Clickjackers embed malicious code or "redress" the user interface by using transparent frames that overlay specific UI elements with misleading text and images. To help prevent clickjacking, Web site owners can send an HTTP response header named X-Frame-Options with HTML pages to restrict how the page may be framed.
X-Frame-Options: Deny
If the X-Frame-Options value contains the token Deny, Internet Explorer 8 prevents the page from rendering if it is contained within a frame. If the value contains the token SameOrigin, Internet Explorer will not render the page if the top level-browsing-context differs from the origin of the page containing the directive. Blocked pages are replaced with a "This content cannot be displayed in a frame" error page.
Related
I have a Rails app that I would like to have customers embed in their website (via an iFrame or similar code) where they can submit a form and potentially view account info.
I currently don't use OAuth, but I was wondering how to log them in safely given the strict same-origin and CORS settings most sites use to prevent clickjacking and such.
My initial thought was giving the iFrame a webpage with a designated token in the url to specify it comes from a valid site but that could easily be copy-pasted by hackers. I'm pretty sure OAuth tries to prevent that but as mentioned I don't have that currently implemented.
By default, Iframe options for rails is restricted to same-origin. If you want to enable to external sites you can do it like this
config.action_dispatch.default_headers = { 'X-Frame-Options' => 'ALLOWALL' }
This is will allow other sites to embed your site. If you want to restrict external sites. You can do that by adding following code it in your base controller.
response.headers["X-FRAME-OPTIONS"] = "ALLOW-FROM http://dummysite.com"
Keep this code in a method and call with before_action
My addon is meant for Twitter. I inject an iframe and then set its path to a page in my addon. I have tried chrome:// with contentaccessible=true in my chrome.manifest. I tried creating an about page with URI_SAFE_FOR_UNTRUSTED_CONTENT. I tried then to creeate a resource uri that points to the about page. I then tried resource uri pointing to the chrome:// page. All of them give me:
Security Error: Content at https://twitter.com/ may not load or link to resource://tweetereditor/.
Wherever of course the resource://tweetereditor/ is the URL i tried to access. Is there a way to get around this without using a webprogress listener to add to each twitter request the:
headers.push({name: 'Access-Control-Allow-Origin', value: '*'});
Allowing page/content scope access to browser scope can lead to security issues anyway.
How complicated is the content of the iframe?
The more secure method is to generate the content and insert it into the iframe programmatically (ie appendChild() etc)
My site is utilizing SSL and it appears that while the user is in a secure connection they cannot accept outside media from unsecured sites. As the content will simply not load.
When the same page is loaded with the standard http://www.mypage.com all of the content loads correctly.
I am looking to embed a twitch stream into my page but I must continue to use SSL. I have seen the term CORS thrown around, does that apply to this issue?
I am looking to create a browser written in HTML using AsYouWish. (AsYouWish exposes the privileged Firefox Addons SDK to regular websites, subject to user approval for each privilege requested by the site; note, however, that this question doesn't really require knowledge of AsYouWish, just the SDK or XPCOM APIs.)
My demo is able to make a cross-domain request and add the text to the iframe using srcdoc, but due apparently to security restrictions, I can't get a contentDocument out of the iframe (as when I try to change the src on an iframe instead, as per this demo).
Is there some kind of means (content-proxy, security policy, or whatever it may be called) in the Addons SDK (or XPCOM) I might use to escalate my website's privileges to introspect the (cross-domain) contentDocument here (so I can listen in from the parent for page location changes in the iframe and thus build my own browser history with back and forward buttons, etc.)?
UPDATE: Since I understand remote XUL has been disabled, I am thinking that perhaps my only (albeit awkward) solution might be to detect a request by a site for DOM privileges, and if granted by the user, reload the page within a privileged iframe of a chrome:// document (since as per https://developer.mozilla.org/en-US/docs/Displaying_web_content_in_an_extension_without_security_issues the inner iframe will be granted privileges in this case unless restricted and thus presumably the privileged iframe should be able to reach into its own (cross-domain) iframes). I wish I could allow it access into its cross-domain child frames without access being able to come out of it up to the chrome level, but I can probably live with that since granting cross-domain iframe access is already a very high level privilege.
I own a website where people create things and embed it on their website. Let's call it "mysite.com".
A user can create a page like "mysite.com/1" and embed it on their website, "acceptable.com". How can I prevent some other site like "forbidden.com" from being able to display "mysite.com/1" in an iframe?
tl;dr How can I make a "whitelist" for sites trying to iframe my own site?
In general, you can send an X-Frame-Options header with your server response that provides for the following options:
DENY
The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself.
ALLOW-FROM uri
The page can only be displayed in a frame on the specified origin.
https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
To do this in rails, you can set (source) for all pages
config.action_dispatch.default_headers.merge!({'X-Frame-Options' => '[OPTION HERE]'})
or for only certain pages, see How to override X-Frame-Options for a controller or action in Rails 4