I have this project which is an HTML page and wanted to load an HTTPS URL by iframe, How can I do so?
I get this error:
Refused to frame 'https://www.google.com/' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
any help would be much appreciated.
Sounds like you have a Content Security Policy defined for your app.
You need to add frame-src: https://www.google.com to the CSP header to allow iframes with that domain.
Since you have not defined a frame-src in the header, it is falling back to default-src, which doesn't specify the domain either, so it gets blocked.
Related
Login form is blocked by CSP and I don't understand why
Chrome Version 94.0.4606.61
Error message :
Refused to send form data to
'https://subdomain.mydomain.com/login/local' because it
violates the following Content Security Policy directive: "form-action
'self' https: *.mydomain.com".
No problem with firefox
This is because during login you perform a redirect through the host-source whose is not allowed in the form-action directive (the port, the scheme, domain/subdomain name does not match).
When redirecting, the CSP checks the entire chain of sources, but browsers have differences in the behavior of form-action for redirects:
Chrome/Safari consider a redirect when submitting a form to be potentially dangerous, since sensitive user data can be redirected to an attacker's domain. Therefore, they block redirection if host-source (domain) not allowed in the form-actions are participate in the chain of redirects.
Firefox believes that the server redirect is under the control of the owner of the page protected in CSP. Therefore, during redirect it allows you to send the form during redirect even to third-party domains.
Note 1. 'self' means exact scheme://domain:port from the Url in the address bar. Therefore CSP:
form-action 'self' https: *.mydomain.com
In case Url is HTTPS://subdomain.mydomain.com the above CSP is become form-action HTTPS://subdomain.mydomain.com https: HTTPS://*.mydomain.com whis is equal to form-action https: - it allows anything except http:-Urls.
In case Url is HTTP://subdomain.mydomain.com, the above CSP is become form-action HTTP://subdomain.mydomain.com https: HTTP://*.mydomain.com and it does not allow a main domain mydomain.com.
Note 2. The Url https://subdomain.mydomain.com/login/local in the message:
Refused to send form data to 'https://subdomain.mydomain.com/login/local' because it violates ...`
is not Url really blocked by Chrome. This is just the first Url in the redirect chain.
Note 3. If CSP, after all, blocks the allowed domain, it is most likely that it's interference of browser extensions such as NoScript/uBlock/AdBlock/PrivacyBadger, etc. interfere.
I want to prevent hosting my website (i.e., www.my.com) in an iframe except for an allow-list of domains (i.e., www.test.com, www.bla.com, ..., www.n.com) to protect against clickjacking.
To implement it for normal browsers I use Content-Security-Policy and send all the domains with both http and https schema. for IE I use the referrer hostname and check it against the allow-list of domains; if the domain exists, I add it to X-Frame-Options; otherwise, I send SAMEORIGIN.
For example, assuming the referrer domain is www.n.com
X-Frame-Options: ALLOW-FROM https://www.n.com
Content-Security-Policy: frame-ancestors 'self' https://www.test.com https://www.bla.com ... https://www.n.com; http://www.test.com http://www.bla.com ... http://www.n.com;
However, I want to host my website inside an other website (salesforce in this case) and this website doesn't host the iframe directly in the top page, but creates another iframe without a URL (i.e., without the src attribute) and host my iframe inside:
-> top window: www.n.com
-> -> iframe without src <iframe name="some_name">
-> -> -> iframe with my website <iframe src="https://www.my.com">
The browser (chrome) prevents my website from loading since: "Refused to frame 'https://www.my.com/' because an ancestor violates the following Content Security Policy directive...".
I think it includes the middle iframe (without the src) in the CSP check and that is the problem.
How can I protect my website from clickjacking using the Content-Security-Policy / X-Frame-Options while supporting this situation?
UPDATE
If you are reading this question - I found that chrome ignores the empty src and works as expected. I was wrong and missed another domain in the way:
-> top window: www.n.com
-> -> iframe with some src <iframe src="https://www.opppsss.com">
-> -> -> iframe without src <iframe name="some_name">
-> -> -> -> iframe with my website <iframe src="https://www.my.com">
You need to add all of the domains in the chain to the CSP header.
The frame-ancestors directive works with tuple of origins.
In case of <iframe src=http://... things is easy and tuple of origin is taken from the src=.
In case of <iframe src=data:-Url the origin will be opaque, therefore frame-ancestors skips it and checks the parent.
In case of <iframe name="some_name"> its content is created by parent page javascript using .contentDocument property. So the origin of the iframe will be the same as the parent page.
Therefore you must specify in the frame-ancestors the origins of the entire ascending chain of parents in the DOM.
Unfortunately, the X-Frame-Options:... header is not suitable in case of several host-sources.
The browser (chrome) seems to include the middle iframe in the CSPv check and prevents my website from loading.
Its very interesting how did you know that...
IMHO the problem is your CSP is based on referrer. Which referrer you expect to get in case of:
-> top window: www.n.com
-> -> iframe without src <iframe name="some_name">
-> -> -> iframe with my website <iframe src="https://www.my.com">
I think you have got empty referrer taken from nearest parent, therefore is published Content-Security-Policy: frame-ancestors 'self' -> embedding into salesforce is forbidden.
Content-Security-Policy frame-ancestors can contain multiple sources, so you can include your entire allow-list. As all ancestors need to pass the frame-ancestors check you must include multiple sources for your salesforce example to work, see https://www.w3.org/TR/CSP3/#frame-ancestors-navigation-response
X-Frame-Options ALLOW-FROM can only contain one source, and it is up to the browser to decide if the all ancestors, top or bottom must match, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options.
I made a chrome extension that loads an iframe on the gmail url. So far so good!
When I install the extension it loads the I framed with no problems but here comes the problem. If I refresh or access gmail again it doesn't work anymore with the following error, and no other errors.
Refused to frame 'https://...........com/' because it violates the
following Content Security Policy directive: "frame-src 'self'
https://clients4.google.com/insights/consumersurveys/
https://calendar.google.com/accounts/ https://ogs.google.com
https://onegoogle-autopush.sandbox.google.com
https://accounts.google.com/ https://apis.google.com/u/
https://apis.google.com/_/streamwidgets/
https://clients6.google.com/static/
https://content.googleapis.com/static/
https://mail-attachment.googleusercontent.com/
https://www.google.com/calendar/ https://calendar.google.com/calendar/
https://docs.google.com/ https://drive.google.com
https://.googleusercontent.com/docs/securesc/
https://feedback.googleusercontent.com/resources/
https://www.google.com/tools/feedback/
https://support.google.com/inapp/
https://.googleusercontent.com/gadgets/ifr
https://hangouts.google.com/ https://talkgadget.google.com/
https://.talkgadget.google.com/
https://www-gm-opensocial.googleusercontent.com/gadgets/
https://plus.google.com/ https://wallet.google.com/gmail/
https://www.youtube.com/embed/
https://clients5.google.com/pagead/drt/dn/
https://clients5.google.com/ads/measurement/jn/
https://www.gstatic.com/mail/ww/ https://www.gstatic.com/mail/intl/
https://clients5.google.com/webstore/wall/
https://ci3.googleusercontent.com/ https://workspace.google.com/u/
https://workspace.google.com/marketplace/appfinder
https://gsuite.google.com/u/
https://gsuite.google.com/marketplace/appfinder
https://www.gstatic.com/mail/promo/ https://notifications.google.com/
https://tracedepot-pa.clients6.google.com/static/
https://staging-taskassist-pa-googleapis.sandbox.google.com
https://taskassist-pa.clients6.google.com
https://.prod.amp4mail.googleusercontent.com/
https://.client-channel.google.com/client-channel/client
https://clients4.google.com/invalidation/lcs/client
https://tasks.google.com/embed/ https://keep.google.com/companion
https://addons.gsuite.google.com
https://contacts.google.com/widget/hovercard/v/2
https://gsuite.google.com
https://.googleusercontent.com/confidential-mail/attachments/".
Now. You are wondering if I put the CSP in my header. The answer is yes. I have header("Content-Security-Policy: frame-src 'self' https://*.google.com;"); in my php and the header si loaded. But the question I can't answer is: Is Chrome seeing errors after the page refresh and why?
In theory if there is a problem in the CSP it should block the iframe from the first moment, and not after a while.
Do you know anything about this?
Refused to frame 'https://...........com/' because it violates the
following Content Security Policy directive: "frame-src 'self' ... Google's domains here ...
It's not your CSP, but some of Google's iframe publish its own. Because commonly Google does not allow to embed own into third-party.
Most interesting part: 'https://...........com/' is hidden (is here your domain or not?).
Is Chrome seeing errors after the page refresh and why?
Google's services based on a lot of it own iframes, wich inter each other based on Cookie.
For example, you can embed https://gmail.com into iframe, but if you are logged into account (have auth Cookies), Gmail does auto redirect you to https://mail.google.com/mail/u/0/ page which does not allow iframing (because of X-Frame-Options deny).
Behavior of iframes of Google could be very complicated, so a exact answer "Why" is not possible without detail researches.
Anyway embed of Google services (not officially intended for embedding) into iframe is not a good idea. Google does not allow that because of security.
Is there an attribute for iframes that will make it block requests to certain domains? Something like the following:
<iframe src="www.example.com" block-domains="google.com"></iframe>
So if block-domains is that magical attribute I'm looking for, it's telling the iframe to block all requests to google.com.
I believe the closest you can get to this is by setting X-Frame-options in the HEADER declaration. The documentation here states that you can provide any one of the 2 following options (the 3rd being obsolete):
DENY : the iframe will not be displayed, regardless of the page trying to embedd it
SAMEORIGIN : the iframe will only be displayed if called by a site having the same origin as the page itself (by checking the frame ancestors)
Another work around might be to use frame-ancestors as part of content security policy header, that will allow you to specify sites on which the iframe can be embedded.
As far as I know, it is not possible unless you have access to set response headers of the domain you want to load.
If you have access then you can set Content-Security-Policy response header to frame-src. It restricts what domains a page can load in an iframe.
For example: If the website at https://example.com has a response header of
Content-Security-Policy: frame-src 'self' *.trusted.com. Then it is only possible to make requests to example.com and *.trusted.com domains inside iframe.
I am trying to load a simple iframe into one of my web pages but it is not displaying. I am getting this error in Chrome:
Refused to display 'https://cw.na1.hgncloud.com/crossmatch/index.do' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' https://cw.na1.hgncloud.com".
Invalid 'X-Frame-Options' header encountered when loading 'https://cw.na1.hgncloud.com/crossmatch/index.do': 'ALLOW-FROM https://cw.na1.hgncloud.com' is not a recognized directive. The header will be ignored.
This is the code for my iframe:
<p><iframe src="https://cw.na1.hgncloud.com/crossmatch/" width="680" height="500" frameborder="0"></iframe></p>
I am not really sure what that means. I have loaded plenty iframes before and never received such errors.
Any ideas?
It means that the http server at cw.na1.hgncloud.com send some http headers to tell web browsers like Chrome to allow iframe loading of that page (https://cw.na1.hgncloud.com/crossmatch/) only from a page hosted on the same domain (cw.na1.hgncloud.com) :
Content-Security-Policy: frame-ancestors 'self' https://cw.na1.hgncloud.com
X-Frame-Options: ALLOW-FROM https://cw.na1.hgncloud.com
You should read that :
https://developer.mozilla.org/en-US/docs/Web/Security/CSP
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
The reason for the error is that the host server for https://cw.na1.hgncloud.com has provided some HTTP headers to protect the document. One of which is that the frame ancestors must be from the same domain as the original content. It seems you are attempting to put the iframe at a domain location that is not the same as the content of the iframe - thus violating the Content Security Policy that the host has set.
Check out this link on Content Security Policy for more details.
For any of you calling back to the same server for your IFRAME, pass this simple header inside the IFRAME page:
Content-Security-Policy: frame-ancestors 'self'
Or, add this to your web server's CSP configuration.
In my case it was that the site i was embedding had a specific url for embedding content and a different url for sharing
the url i had set in the iframe was
https://site/share/2432423232
changing it to
https://site/embed/2432423232
worked for me
The same issue appears to me, don't open the page in a private window.
You can use multiple browsers if you need to log in with different users.