In our application,we have an IFrame which is used to display any site (which are set through admin/crm console).We are experiencing a strange issue in showing sites with cookie consent popup in IFrame. In IFrame even if user accepts the Cookies consent,in subsequent requests the popup appears again.It looks like the IFrame is not able to send or set the cookies.
When we open the websites in browser tabs, the popup does not come again once we accept the cookie.What might be happening and how can we get rid of these cookie consent popups once the user accepts it in the IFrame? Please note we don't have control over the sites shown in IFrame.
I tried simple HTML page with IFrame and the issue replicated there,code as follow
<html>
<head>
<title>IFrame issue</title>
</head>
<body>
<iframe src="https://www.nutrition.org.uk/" height="100%" width="100%" title="IFrame Example" ></iframe>
</body>
</html>
Screenshot of popup (Bottom of the page in black color)
Update:-
I checked the cookies set for this website,
In normal browser tab when user clicks "OK" button.A new cookie is set e.g. in this case "cookieAcceptanceCookie"="accepted".Check below image,
Same i checked with IFrame and there too same cookie was set.Check below image.
So it looks like the issue remains in sending this cookie in subsequent requests.I guess normal browser tabs can send this cookie where as IFrame is not able to send it,hence this issue is coming in the IFrame.
This is actually a common privacy feature of browsers, that iframes aren't allowed to set Cookies. It's a protection against CSRF and an anti-tracking feature, because websites for a long time were tracking users via cookies that come from iframes.
You'll probably need to instruct your users to Allow third-party cookies in chrome://settings/content/cookies, possibly creating a page like this one.
If you controlled the sites inside the iframe, you could use SameSite=None ..... but unfortunately that's not applicable because you don't have control of them.
Related
I'm trying to get a web link to display a website but I keep getting a "workplace.facebook.com refused to connect." in my display.
I tried doing an iframe and also the embed code and both display the same thing.
<!DOCTYPE html>
<html>
<body>
<embed src="https://workplace.facebook.com" style="width:500px; height:
300px;">
</body>
</html>
The output should be the main website of workplace Facebook which will be displayed on TVs around my work. The reason why I need this to work like this is so I can refresh the page after 20 minutes and have it so it automatically scrolls down slowly. These expectations are not the problem just the web link not displaying.
Some websites do not allow external hosts to display their websites inside an iFrame, they block these requests using an X-frame Options message of SAMEORIGIN which only allows them to be displayed on sites with the same domain as the website itself.
Facebook, for example, won't allow Iframes from anywhere but facebook.com
If you use the inspect element on most modern browsers you should be able to see an error message similar to this:
Refused to display 'https://www.work.facebook.com/' in a frame because
it set 'X-Frame-Options' to 'sameorigin'.
It means that the HTTP server at workplace.facebook.com send some HTTP headers to tell web browsers like Chrome to allow iframe loading of that page (https://workplace.facebook.com) only from a page hosted on the same domain (workplace.facebook.com).
A sibling department has created an HTML file that is effectively a scaffold for a handful of iframes. The iframes each call a report, which is hosted on a web server, with slightly different parameters. The called report will show a sign-on form to unauthenticated users, or the report contents to already-authenticated users.
scaffold.html:
<html>
<head>
<title>I just show the output from a bunch of report calls</title>
</head>
<body>
<iframe src="https://somesite.com/useful_report.html?parameter1=a¶meter2=1" id="iframe1"></iframe>
<iframe src="https://somesite.com/useful_report.html?parameter1=b¶meter2=2" id="iframe2"></iframe>
<iframe src="https://somesite.com/useful_report.html?parameter1=c¶meter2=3" id="iframe3"></iframe>
<iframe src="https://somesite.com/useful_report.html?parameter1=d¶meter2=4" id="iframe4"></iframe>
</body>
</html>
The sibling organization explained to us that if a user was signed on to https://somesite.com, the above setup worked great--each of the iframes would display the useful_report.html content...until a few days ago.
When I
sign on to https://somesite.com, then
load file:///C:/Users/me/Desktop/scaffold.html into Chrome
each of the iframes returns the https://somesite.com sign on form. If I then open useful_report.html in a separate tab, the report content loads (proving somesite.com knows I am still signed on‡).
Using developer tools, I can see that the request headers to useful_report.html do not include the "Cookie:" attribute, so this explains why useful_report.html returns the sign on form.
My question is why are the iframe requests not sending cookies? What Chrome and/or server setting/policy/directive prevents it?
‡ - and now it knows that I know that it knows.
That's because of the SameSite cookie policy that Chrome defaults to Lax, meaning the cookies won't be sent unless the user can see the URL which excludes iframes.
If you own the somesite.com you can opt-out of this policy by setting SameSite policy to None and deal with the risk of CSRF attacks by Double Submit Cookie.
I have simple html code:
<iframe src="http://public.bullhornstaffing.com" width="500" height="700"></iframe>
<iframe src="http://public.bullhornstaffing.com/JobBoard/Standard/default.cfm?privateLabelID=9076" width="500" height="700"></iframe>
The first iframe displayed excellent in all browsers, but second iframe isn't displayed in IE instead of the page I see the text "Site Not Found. The site your are trying to find does not exist."
But when I try to open iframe url in the browser directly - everything works as it is necessary.
There is method to correct it?
The URL of the second iframe gets redirected to http://public.bullhornstaffing.com/JobBoard/Standard/BHContent_JobOpportunities.cfm and for some reason, the server responds to it differently when accessed on IE via iframe (or otherwise as embedded). What you get is technically a normal server response, just with special content.
It is at the discretion of server admin to do such things, e.g. in an attempt at preventing framing, though this behavior might be unintentional. Contact the server admin.
I know this has been asked a few times, but on all the answers I found there was someone asking if it would still work and somebody else saying that it doesn't, so I was wondering if there is a solution to this problem that still works with the latest version of chrome:
Lets say we have website with an iframe embedded in it, the iframe source is from another host. The page inside the iframe needs cookies to work, but Google Chrome seems to refuse to set cookies that are set within the iframe. (This only happens when "block 3rd party cookies" is checked which seems to be happening on its own because I have multiple reports from different users who didn't touch the advanced options)
I have control over both of the sites, though I can only modify the html on the page that contains the iframe, no server side stuff.
Things I have tried so far that didn't work:
Emedding an image from the same host as the iframe's source
making a post request to the iframe
setting up a P3P header
I can also send messages using xdm, though I don't know if that could help.
If anyone has any further ideas it would be greatly apreciated! I feel like there must be a solution to this problem somewhere
Setting cookies inside an iFrame can be troublesome. However, iFrame can access cookies set outside the iFrame. You can show the page in a popup window which sets the necessary cookies (like authentication, etc) and then access these cookies from within the iFrame.
This is very helpful in case you want to authenticate user on some other domain. Just show a popup, authenticate and set cookies, then access these cookies on your site from iFrame.
I want to have two facebook pages open at the same time as part of my html page.
So when you go to mypage.html, there will be displayed two facebook pages. Is this possible?
I get something like:
with code like:
<frameset cols="25%,75%">
or
<iframe height="*" src="http://www.facebook.com/photo.php?fbid=10150277739848763&set=pu.105012493762&type=1&theater" width="100%">
<p>Your browser does not support iframes.</p> </iframe>
I work on Facebook's security team and actually helped write the code that causes this. We do this (a form of frame busting) to prevent clickjacking attacks where an attacker can put Facebook in an iframe, hide it, and trick the user into clicking in the facebook frame and taking some action (e.g. posting a malicious link to their profile, etc).
While Jason's answer is going in the right direction, it's not true that browsers will give you access to the DOM of a page you insert in an iframe in your page. The Same Origin Policy dictates that javascript on one domain cannot access anything on a page on a different domain.
Facebook prevents you from linking directly to the actual site via IFRAME (or any frame). This is because any site putting Facebook in an IFRAME(or any frame) could use Javascript to access elements of the facebook page, including username and password fields.
There is no way around this. It is built in to the browsers themselves to send some information along in the request header that says it is being requested to be put in frame.
Gmail and several other sites do this as well.
There are specific situations where overriding the "x-frame-options" security policy is useful, such as in digital signage where it is desirable to show an organization's facebook page in a iframe alongside other signage iframes.
Clickjacking and phishing will not occur because the organization is displaying its own facebook page on its own browser-driven display devices.
If the browser doesn't provide an internal x-frame override on its "about:flags" page, you may need to install a browser extension to override x-frame-options on the signage device.