I'm trying to load an IFrame on my website, but I'm getting the dreaded Refused to display 'url' in a frame because it set 'X-Frame-Options' to 'sameorigin'. However, when I look at the actual reponse headers sent from the other website I can't find a single occurance of X-Frame-Options!
Why does Chrome complain that the header is set when I can't find it in DevTools?
The URL of the site I'm trying to embedd is a https://localhost:44359 and it is running an ASP.NET Core MVC instance.
I tried adding some middleware to it to remove this header, but seeing as the header is never set there is also nothing to remove... unless, of course, this is set by MVC itself, in which case no middleware will help because MVC terminates the middleware pipeline.
I guess I could set a <meta> tag on the page itself, but even Google says that X-Frame-Options Allow-From is not supported and I found an article (unfortunaly can't find it again) that said Google would be using Content Security Policy for this instead. I tried adding frame-src https://localhost:44359 to the CSP for the site that is trying to embed an iframe, but that had no effect.
Is there any way of "forcing" Chrome (et al) to accept an iframe from localhost?
Related
I have an ASP.NET Core MVC website that is the src of an IFRAME inside a portal. Both the portal an the .NETCore application have the same domain (eg. site.portal.domain / portal.domain).
When I enter the portal, I get a message in the browsers:
mysite.portal.domain refused to connect
(on Chrome), the other browser give different errors, like IE 11 gives:
This content cannot be displayed in a frame
On Chrome debug I found the message:
Refused to display 'https://site.portal.domain' in a frame because it
set 'X-Frame-Options' to 'sameorigin'.
Any hints on how to solve that?
X-FRAME-OPTIONS is used to protect against clickjacking attempts. If you own the application and want it be framed , you can skip the restrict :
services.AddAntiforgery(o => o.SuppressXFrameOptionsHeader = true);
By default, the X-Frame-Options header is generated with the value SAMEORIGIN. If this setting is 'true', the X-Frame-Options header will not be generated for the response.
I am using an <iframe> HTML tag on my page e.g. to embed content from YouTube:
<iframe src="https://www.youtube.com/embed/DnPQNOq8x2s"></iframe>
However the content is not loaded.
In Firefox nothing is shown. In Chrome, a message like "Request blocked by an extension" is shown.
What is blocking the embedded iframe content and how can I get it to load and be shown?
This is probably due to the Content Security Policy HTTP response header.
If your HTTP framework or server is configured to insert this header into the response, you should make sure that you set the frame-src directive for it:
Content-Security-Policy: frame-src *.youtube.com; (or equivalent for any site you want to embed)
The documentation for your HTTP server or framework should specify how to configure this.
I am attempting to embed one site into another site. I control both servers, which I will refer to here as "site1.com" (the site in the browser) and "site2.com" (the site I am trying to embed).
HTML embed code
Attempt 1, using iframe tag:
<iframe height="600" width="600" name="my other site"
src="https://site2.com/foo/bar">
Unable to display--your browser does not support frames.
</iframe>
Attempt 2, using object tag:
<object type="text/html" height="600" width="600" name="my other site"
data="https://site2.com/foo/bar"></object>
Things I know are not the problem
Secure/insecure mismatch
I've read that Firefox will not allow an HTTP embed into an HTTPS page. Both sites are HTTPS, so there is no mismatch. The loaded resources (CSS, etc) are also https, from same origin, so there is no mixed-content problem.
I have tried setting security.mixed_content.block_active_content to false, in case I was mistaken about this, but the iframe was still blank.
Invalid or untrusted certificates
Both sites are using valid certificates, signed by a proper trusted authority, and are not expired. In fact, we are using a subdomain wildcard certificate, so they are both using the same certificate (they both are in the same subdomain).
X-Frame-Options
The site that I am trying to embed has this response header:
X-Frame-Options: ALLOW-FROM SITE1.COM
Content-Security-Policy
The site that I am trying to embed has this response header (wrapped here for readability):
Content-Security-Policy:
frame-ancestors https://site1.com;
default-src 'self';
script-src https://site1.com 'self' 'unsafe-inline';
style-src https://site1.com 'self' 'unsafe-inline'
Extra disclosure, possibly not needed - these headers are being generated by a Django application server, using this config and the "django-csp" module.
X_FRAME_OPTIONS = 'Allow-From site1.com'
CSP_FRAME_ANCESTORS = ('https://site1.com',)
CSP_STYLE_SRC = ('https://site1.com', "'self'", "'unsafe-inline'")
CSP_SCRIPT_SRC = ('https://site1.com', "'self'", "'unsafe-inline'")
CORS
My understanding is that CORS is only in play when the request contains an "Origin" header. That doesn't seem to be happening here. I have also tried addressing CORS by using this header:
Access-Control-Allow-Origin: https://site1.com
But that appears to have no effect.
Ad blocker
I do not have an ad blocker in this Firefox install. I also removed all of my extensions and re-tested after a Firefox restart, the "blank iframe" behavior remains the same with no extensions installed at all.
Observed behavior
I have tested using the following browsers.
Google Chrome 58.0.3029.81 (64-bit) (macOS)
Safari 10.1 (macOS)
Firefox 53.0 (64-bit) (macOS)
Microsoft Edge 38.14393.0.0 (Windows 10)
Using Chrome, Safari, and Edge, the frame is shown like I expect - site2.com appears as a box inside of the site1.com page.
Using Firefox, I am shown an empty space of the size specified (600x600). If I used iframe, then there is a black border around it. If I used object, it's just a blank area with no border.
The most interesting thing is that if I open the developer console and reload the page, I see the requests to fetch site1.com and its CSS and so on, but there are no requests made for site2.com. It isn't that there is a problem showing site2.com, it is never requested at all.
Also, the developer console shows no errors or warnings about this. If there were an error condition or security exception preventing the loading of the second site, I would expect some sort of warning to be logged.
This has been driving me crazy for a few days. Any suggestions appreciated.
I reproduced the issue on my server which serves 2 domains, and then fixed it this way:
X-Frame-Options: ALLOW-FROM https://SITE1.COM
I added https://, as seen in MDN page for X-Frame-Options
You can observe the difference here (only with Firefox of course, as with other browsers both frames are shown): I pushed a php page that inserts the header without or with https://, and created this fiddle that insert 2 iframes: Firefox shows first iframe as empty, and second one with content (which echoes the value in header) on the right.
Since you are forced to put a "serialized origin" (protocol+FQDN), I wondered if you can put multiple entries, or wildcards. My understanding of RFC 7034 says you cannot.
Now about this detail:
The most interesting thing is that if I open the developer console and
reload the page, I see the requests to fetch site1.com and its CSS and
so on, but there are no requests made for site2.com. It isn't that
there is a problem showing site2.com, it is never requested at all.
That's because it was cached. I also saw that, but a force-refresh rightly showed a new request was made.
If you knew the source code (right click and view source of url to embed - but you control it in this case so you can copy and paste) and it was only a reasonably small amount of code (probable because you're using an iframe), then you could use the HTML5 srcdoc attribute to embed the html code, instead of pointing to the url. This would save a lot of hassle regarding unknown factors regarding the site you want to embed (CORS etc..) which you would not usually know if you didn't have control over the second site.
According to caniuse.com the srcdoc property has full support in Firefox since vsn 25 onwards (so since Sept 2013).
Hope this helps (Here's a tested jsfiddle example)
I am using i-frame to import html file from another domain, however I get this error saying Refused to display 'url' in a frame because it set 'X-Frame-Options' to 'sameorigin'. Can you please help me to avoid the exception?
X-Frame-Options is a HTTP Header that prevents a URL from being viewed from within an IFrame. The only way to fix this is to change the X-Frame-Options header from the server that is serving the page you want to display within an IFrame.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
The setting has to be done at the web-server level (apache, IIS, etc). This link will give you details on this - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
I am trying to load a simple iframe into one of my web pages but it is not displaying. I am getting this error in Chrome:
Refused to display 'https://cw.na1.hgncloud.com/crossmatch/index.do' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' https://cw.na1.hgncloud.com".
Invalid 'X-Frame-Options' header encountered when loading 'https://cw.na1.hgncloud.com/crossmatch/index.do': 'ALLOW-FROM https://cw.na1.hgncloud.com' is not a recognized directive. The header will be ignored.
This is the code for my iframe:
<p><iframe src="https://cw.na1.hgncloud.com/crossmatch/" width="680" height="500" frameborder="0"></iframe></p>
I am not really sure what that means. I have loaded plenty iframes before and never received such errors.
Any ideas?
It means that the http server at cw.na1.hgncloud.com send some http headers to tell web browsers like Chrome to allow iframe loading of that page (https://cw.na1.hgncloud.com/crossmatch/) only from a page hosted on the same domain (cw.na1.hgncloud.com) :
Content-Security-Policy: frame-ancestors 'self' https://cw.na1.hgncloud.com
X-Frame-Options: ALLOW-FROM https://cw.na1.hgncloud.com
You should read that :
https://developer.mozilla.org/en-US/docs/Web/Security/CSP
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
The reason for the error is that the host server for https://cw.na1.hgncloud.com has provided some HTTP headers to protect the document. One of which is that the frame ancestors must be from the same domain as the original content. It seems you are attempting to put the iframe at a domain location that is not the same as the content of the iframe - thus violating the Content Security Policy that the host has set.
Check out this link on Content Security Policy for more details.
For any of you calling back to the same server for your IFRAME, pass this simple header inside the IFRAME page:
Content-Security-Policy: frame-ancestors 'self'
Or, add this to your web server's CSP configuration.
In my case it was that the site i was embedding had a specific url for embedding content and a different url for sharing
the url i had set in the iframe was
https://site/share/2432423232
changing it to
https://site/embed/2432423232
worked for me
The same issue appears to me, don't open the page in a private window.
You can use multiple browsers if you need to log in with different users.