I have a page (runs on Tomcat) that needs to be displayed in iframe by other sites. This page's work depends on Javascript and cookies. It can also detects whether Javascript and cookies are enabled in the browser. I have the following html snippet in a test page (runs on Apache web server) showing the page in iframe
<div id="embedded-page">
<iframe referrerpolicy="no-referrer-when-downgrade" src="_link_to_the_page_on_Tomcat">
...
the page is displayedd in iframe
....
</iframe>
</div>
I use the above html in my tests. The page can be displayed correctly in FF, Edge, Brave and other browsers. Howeve, in Chrome, the page reports that cookies are not supported.
The page to display runs on Tomcat and is part of a Spring MVC website plus Spring Security. For Spring Security, I have the following setup:
<security:headers disabled="true"/>
how to prevent Chrome from disabling cookies in iframe?
This is related to Cookie's SameSite attribute.
With Chrome 80 in February, Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies with the SameSite=None; Secure setting will be available for external access, provided they are being accessed from secure connections.
Quote taken from here.
You should try to set SameSite=None in your Cookie to make it work. After that, you can figure out what is the best value for the SameSite attribute. Take a look at this answer.
iframe not reading cookies in Chrome
Related
We are trying to load our site in an iframe and the site goes to login page when checked in chrome Version 84.0.4147.125. The page loads fine in other browsers. Please help in fixing this.
From what I've found researching this it's related to needing to set the samesite=none header on cookies if it's loaded in an iframe. Since session id is stored in a cookie, that won't work either. Unfortunately, I haven't found any solution that works with .net 4.6.2 which is what we're on, so we have to upgrade everything to 4.7.2 to be able to set the cookie's SameSite property.
For reference.
https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite
https://portswigger.net/daily-swig/google-chrome-84-released-next-week-with-revived-samesite-cookie-changes
Below is my code:
<div style="border: solid 1px #000000; margin: 5px;">
<iframe src="http://www.w3schools.com" width="100%" height="300px" scrolling="yes"><p>Your browser does not support iframe.</p></iframe>
</div>
Contents of iframe works well in chrome but not in firefox. I've disabled add-ons but my iframe is still empty. Can anyone please help me?
If you are trying to add this Iframe on a SSL-encrypted website (https://), it won't work any more since Firefox 23 because Mozilla has decided to blocked all unencrypted content on encrypted websites (for example http-iframes on https-websites).
You can change this behaviour in your own Firefox installation by typing about:config in the address bar and setting security.mixed_content.block_active_content to false.
But that won't help you for all other FF23-visitors on your website.
As of 05/2018, the iframe lead is denied by browser due to X-Frame-Options header set to 'sameorigin'.
Tested the page with Firefox and getting blank iframe.
Here is what console says:
Load denied by X-Frame-Options: https://www.w3schools.com/ does not permit cross-origin framing.
Why that?I'll give Chrome console a chance, here's what it says:
Refused to display 'https://www.w3schools.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Basically, X-Frame-Options header (do not confuse that with CORS), is set to 'sameorigin', that means that the browser is allowed to display the iframe content only if embedded in same domain and same protocol (https://www.w3schools.com/ is not sameorigin of http://www.w3schools.com/).
Here are some docs aboiut x-frame-options:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
I don't know if its related but when I try to request w3schools by c# it responses 503 forbidden error. So they may use something to prevent showing up on iframes, etc. Facebook has similiar restrictions, you cannot display their likebox iframe unless you log in.
Why no one has mentioned CORS yet?
FROM mdn
Cross-Origin Resource Sharing (CORS) is a mechanism that uses
additional HTTP headers to let a user agent gain permission to access
selected resources from a server on a different origin (domain) than
the site currently in use. A user agent makes a cross-origin HTTP
request when it requests a resource from a different domain, protocol,
or port than the one from which the current document originated.
An example of a cross-origin request: A HTML page served from
http://domain-a.com makes an src request for
http://domain-b.com/image.jpg. Many pages on the web today load
resources like CSS stylesheets, images, and scripts from separate
domains, such as content delivery networks (CDNs).
For security reasons, browsers restrict cross-origin HTTP requests
initiated from within scripts. For example, XMLHttpRequest and the
Fetch API follow the same-origin policy. This means that a web
application using those APIs can only request HTTP resources from the
same domain the application was loaded from unless CORS headers are
used.
This means that the websites you are trying to enter from the iframe are set to deny requests from your site or others (if not all).
I had the same issue. For me the cause was a trailing slash at the end of the url.
Doesn't work:
<iframe src="http://example.com/some/sub/folder/"></iframe>
Works:
<iframe src="http://example.com/some/sub/folder"></iframe>
You need to have source file of iframe on localhost.
Firefox and Chrome doesn't display this iframe:
<iframe src="https://www.yourdomain.com/form.html"></iframe>
Works:
<iframe src="/form.html"></iframe>
We developed new file action for our web-app, it works fine when using chrome or Firefox but on IE we have problems, when trying to understand the issues we noticed that when the message goes to our web-app it doesn't send any cookies including the session cookie although the web-app sends set-cookie header.
why is it happens?
OK, we found the problem, apparently when using iframes in IE cookies are blocked as IE refers to Iframes as third party app, to unblock cookies we should to add privacy policy to the headers using P3P header.
good place to read about is - Cookie blocked/not saved in IFRAME in Internet Explorer.
This sounds like a possible bug on our end. Can you email us at API AT box.com with specific information about the request that's being sent as well as which version of IE you're using?
I'm making an offline webpage that automatically logs into an online website.
The website uses ssl (https) and to login it uses a form (post variables)
The problem I'm encountering is the following:
The site only accepts my offline form, when I open the online login page first.
This is because the website uses (server-side) sessions which are made when opening the first page. (The purpose of the session is to detect a time-out)
When I first open the online website and then run my offline page everything works fine.
So I need to make my offline webpage open the online website before posting the form automatically.
I tryed this with an iframe, but this doesn't work in internet explorer, as it is a https website. (It does work in Chrome, firefox,...)
I was wondering if Ajax could send a https page request before posting my form. But I guess not as it is https.
Does anybody know a method to send a https page request just like the browser does, but without showing it's output? Afterward I can automatically submit my form.
Thanks in advance!
Internet Explorer treats iframes from other domains as third party content, and uses a separate set of security policies for them. The security zone settings are also in effect between file:/// "local machine"/"offline" webpages and "internet"/"online" webpages. Cookies are usually blocked from third party content (depending on your settings), which means that the unique session key set in the cookies won't be saved. Without this key, the site you are trying to log in to will "forget" your session/login.
Cross-domain AJAX request are also affected by security zones and cross-domain policies, but the settings may differ between IE versions.
There are ways around the limitations, using P3P policies, if you control the target web page. Cookie blocked/not saved in IFRAME in Internet Explorer shows how. But, if you do own the web page, it would be better to enable or implement your own "remember me" feature.
In your case, depending on if you are the only one to use your offline autologin webpage, perhaps allowing third party cookies in Internet Explorer will help. See Options > Privacy > Allow all cookies (or in a similar). This will allow others (mostly ad companies) to track you all over the internet though.
If the purpose for your autologin page is testing, rather than actually using the browser as a human being, perhaps you can automate both logging in and testing?
Trying to copy a cookie from second.com to first.com, with full control of both domains.
Previously an iFrame was used, however this is not able to work across all browsers as it touched on 'third-party cookies' which are hard to implement and impossible in Safari and Chrome.
The new approach uses a SCRIPT tag pointing to second.com and included in the HEAD of first.com. The server-side script is actually a piece of Java which reads the cookies sent with the request (the cookies from second.com) and the JavaScript returned executes on first.com and essentially duplicates the cookie here. This is working great in all browsers except IE, where IE appears to not be sending the second.com cookies with SCRIPT request, so the Java is not able to pickup the cookie value from second.com.
This is surely to do with IE security settings as when I put privacy to the lowest level it is working, but my question is why are the cookies being blocked at all? I thought the SCRIPT tag was not subject to the same origin policy (that AJAX and other technologies have to comply with).
Any solution to this without heading down the P3P privacy policy route?
It's definitely IE security settings, if you're attempting this you'll need to set a P3P compact privacy policy on the page which sets the cookie on first.com, even before you've reached second.com