Is there an attribute for iframes that will make it block requests to certain domains? Something like the following:
<iframe src="www.example.com" block-domains="google.com"></iframe>
So if block-domains is that magical attribute I'm looking for, it's telling the iframe to block all requests to google.com.
I believe the closest you can get to this is by setting X-Frame-options in the HEADER declaration. The documentation here states that you can provide any one of the 2 following options (the 3rd being obsolete):
DENY : the iframe will not be displayed, regardless of the page trying to embedd it
SAMEORIGIN : the iframe will only be displayed if called by a site having the same origin as the page itself (by checking the frame ancestors)
Another work around might be to use frame-ancestors as part of content security policy header, that will allow you to specify sites on which the iframe can be embedded.
As far as I know, it is not possible unless you have access to set response headers of the domain you want to load.
If you have access then you can set Content-Security-Policy response header to frame-src. It restricts what domains a page can load in an iframe.
For example: If the website at https://example.com has a response header of
Content-Security-Policy: frame-src 'self' *.trusted.com. Then it is only possible to make requests to example.com and *.trusted.com domains inside iframe.
Related
I want to prevent hosting my website (i.e., www.my.com) in an iframe except for an allow-list of domains (i.e., www.test.com, www.bla.com, ..., www.n.com) to protect against clickjacking.
To implement it for normal browsers I use Content-Security-Policy and send all the domains with both http and https schema. for IE I use the referrer hostname and check it against the allow-list of domains; if the domain exists, I add it to X-Frame-Options; otherwise, I send SAMEORIGIN.
For example, assuming the referrer domain is www.n.com
X-Frame-Options: ALLOW-FROM https://www.n.com
Content-Security-Policy: frame-ancestors 'self' https://www.test.com https://www.bla.com ... https://www.n.com; http://www.test.com http://www.bla.com ... http://www.n.com;
However, I want to host my website inside an other website (salesforce in this case) and this website doesn't host the iframe directly in the top page, but creates another iframe without a URL (i.e., without the src attribute) and host my iframe inside:
-> top window: www.n.com
-> -> iframe without src <iframe name="some_name">
-> -> -> iframe with my website <iframe src="https://www.my.com">
The browser (chrome) prevents my website from loading since: "Refused to frame 'https://www.my.com/' because an ancestor violates the following Content Security Policy directive...".
I think it includes the middle iframe (without the src) in the CSP check and that is the problem.
How can I protect my website from clickjacking using the Content-Security-Policy / X-Frame-Options while supporting this situation?
UPDATE
If you are reading this question - I found that chrome ignores the empty src and works as expected. I was wrong and missed another domain in the way:
-> top window: www.n.com
-> -> iframe with some src <iframe src="https://www.opppsss.com">
-> -> -> iframe without src <iframe name="some_name">
-> -> -> -> iframe with my website <iframe src="https://www.my.com">
You need to add all of the domains in the chain to the CSP header.
The frame-ancestors directive works with tuple of origins.
In case of <iframe src=http://... things is easy and tuple of origin is taken from the src=.
In case of <iframe src=data:-Url the origin will be opaque, therefore frame-ancestors skips it and checks the parent.
In case of <iframe name="some_name"> its content is created by parent page javascript using .contentDocument property. So the origin of the iframe will be the same as the parent page.
Therefore you must specify in the frame-ancestors the origins of the entire ascending chain of parents in the DOM.
Unfortunately, the X-Frame-Options:... header is not suitable in case of several host-sources.
The browser (chrome) seems to include the middle iframe in the CSPv check and prevents my website from loading.
Its very interesting how did you know that...
IMHO the problem is your CSP is based on referrer. Which referrer you expect to get in case of:
-> top window: www.n.com
-> -> iframe without src <iframe name="some_name">
-> -> -> iframe with my website <iframe src="https://www.my.com">
I think you have got empty referrer taken from nearest parent, therefore is published Content-Security-Policy: frame-ancestors 'self' -> embedding into salesforce is forbidden.
Content-Security-Policy frame-ancestors can contain multiple sources, so you can include your entire allow-list. As all ancestors need to pass the frame-ancestors check you must include multiple sources for your salesforce example to work, see https://www.w3.org/TR/CSP3/#frame-ancestors-navigation-response
X-Frame-Options ALLOW-FROM can only contain one source, and it is up to the browser to decide if the all ancestors, top or bottom must match, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options.
I have this project which is an HTML page and wanted to load an HTTPS URL by iframe, How can I do so?
I get this error:
Refused to frame 'https://www.google.com/' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
any help would be much appreciated.
Sounds like you have a Content Security Policy defined for your app.
You need to add frame-src: https://www.google.com to the CSP header to allow iframes with that domain.
Since you have not defined a frame-src in the header, it is falling back to default-src, which doesn't specify the domain either, so it gets blocked.
I want to add this header to my nginx server
add_header X-Frame-Options "SAMEORIGIN";
However I want people to still be able to use an <iframe> that refers to my website.
Like youtube provides an embeded url for video, I do the same for a particular part of my website.
is "SAMEORIGIN" is the right value? or is X-Frame-Options header is in conflict with the functionality I'm trying to acheive?
There are three possible directives for X-Frame-Options:
X-Frame-Options: deny page cannot be displayed in a frame
X-Frame-Options: sameorigin page can only be displayed in a frame on the same origin as the page itself (same domain)
X-Frame-Options: allow-from https://example.com/ page can only be displayed in a frame on the specified origin
If you set it at sameorigin when hosts(people) try to load your site in an <iframe> then the browser give you an error. Try this and open your dev console:
<iframe src="https://www.google.com"/>
So in short sameorigin of course is the wrong choice if you want your site to be loaded into an <iframe> by other people(domains). Try reading this if you want to get what you are looking for:
Overcoming "Display forbidden by X-Frame-Options"
I am using an <iframe> HTML tag on my page e.g. to embed content from YouTube:
<iframe src="https://www.youtube.com/embed/DnPQNOq8x2s"></iframe>
However the content is not loaded.
In Firefox nothing is shown. In Chrome, a message like "Request blocked by an extension" is shown.
What is blocking the embedded iframe content and how can I get it to load and be shown?
This is probably due to the Content Security Policy HTTP response header.
If your HTTP framework or server is configured to insert this header into the response, you should make sure that you set the frame-src directive for it:
Content-Security-Policy: frame-src *.youtube.com; (or equivalent for any site you want to embed)
The documentation for your HTTP server or framework should specify how to configure this.
I am trying to load a simple iframe into one of my web pages but it is not displaying. I am getting this error in Chrome:
Refused to display 'https://cw.na1.hgncloud.com/crossmatch/index.do' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' https://cw.na1.hgncloud.com".
Invalid 'X-Frame-Options' header encountered when loading 'https://cw.na1.hgncloud.com/crossmatch/index.do': 'ALLOW-FROM https://cw.na1.hgncloud.com' is not a recognized directive. The header will be ignored.
This is the code for my iframe:
<p><iframe src="https://cw.na1.hgncloud.com/crossmatch/" width="680" height="500" frameborder="0"></iframe></p>
I am not really sure what that means. I have loaded plenty iframes before and never received such errors.
Any ideas?
It means that the http server at cw.na1.hgncloud.com send some http headers to tell web browsers like Chrome to allow iframe loading of that page (https://cw.na1.hgncloud.com/crossmatch/) only from a page hosted on the same domain (cw.na1.hgncloud.com) :
Content-Security-Policy: frame-ancestors 'self' https://cw.na1.hgncloud.com
X-Frame-Options: ALLOW-FROM https://cw.na1.hgncloud.com
You should read that :
https://developer.mozilla.org/en-US/docs/Web/Security/CSP
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
The reason for the error is that the host server for https://cw.na1.hgncloud.com has provided some HTTP headers to protect the document. One of which is that the frame ancestors must be from the same domain as the original content. It seems you are attempting to put the iframe at a domain location that is not the same as the content of the iframe - thus violating the Content Security Policy that the host has set.
Check out this link on Content Security Policy for more details.
For any of you calling back to the same server for your IFRAME, pass this simple header inside the IFRAME page:
Content-Security-Policy: frame-ancestors 'self'
Or, add this to your web server's CSP configuration.
In my case it was that the site i was embedding had a specific url for embedding content and a different url for sharing
the url i had set in the iframe was
https://site/share/2432423232
changing it to
https://site/embed/2432423232
worked for me
The same issue appears to me, don't open the page in a private window.
You can use multiple browsers if you need to log in with different users.