A sibling department has created an HTML file that is effectively a scaffold for a handful of iframes. The iframes each call a report, which is hosted on a web server, with slightly different parameters. The called report will show a sign-on form to unauthenticated users, or the report contents to already-authenticated users.
scaffold.html:
<html>
<head>
<title>I just show the output from a bunch of report calls</title>
</head>
<body>
<iframe src="https://somesite.com/useful_report.html?parameter1=a¶meter2=1" id="iframe1"></iframe>
<iframe src="https://somesite.com/useful_report.html?parameter1=b¶meter2=2" id="iframe2"></iframe>
<iframe src="https://somesite.com/useful_report.html?parameter1=c¶meter2=3" id="iframe3"></iframe>
<iframe src="https://somesite.com/useful_report.html?parameter1=d¶meter2=4" id="iframe4"></iframe>
</body>
</html>
The sibling organization explained to us that if a user was signed on to https://somesite.com, the above setup worked great--each of the iframes would display the useful_report.html content...until a few days ago.
When I
sign on to https://somesite.com, then
load file:///C:/Users/me/Desktop/scaffold.html into Chrome
each of the iframes returns the https://somesite.com sign on form. If I then open useful_report.html in a separate tab, the report content loads (proving somesite.com knows I am still signed on‡).
Using developer tools, I can see that the request headers to useful_report.html do not include the "Cookie:" attribute, so this explains why useful_report.html returns the sign on form.
My question is why are the iframe requests not sending cookies? What Chrome and/or server setting/policy/directive prevents it?
‡ - and now it knows that I know that it knows.
That's because of the SameSite cookie policy that Chrome defaults to Lax, meaning the cookies won't be sent unless the user can see the URL which excludes iframes.
If you own the somesite.com you can opt-out of this policy by setting SameSite policy to None and deal with the risk of CSRF attacks by Double Submit Cookie.
Related
In our application,we have an IFrame which is used to display any site (which are set through admin/crm console).We are experiencing a strange issue in showing sites with cookie consent popup in IFrame. In IFrame even if user accepts the Cookies consent,in subsequent requests the popup appears again.It looks like the IFrame is not able to send or set the cookies.
When we open the websites in browser tabs, the popup does not come again once we accept the cookie.What might be happening and how can we get rid of these cookie consent popups once the user accepts it in the IFrame? Please note we don't have control over the sites shown in IFrame.
I tried simple HTML page with IFrame and the issue replicated there,code as follow
<html>
<head>
<title>IFrame issue</title>
</head>
<body>
<iframe src="https://www.nutrition.org.uk/" height="100%" width="100%" title="IFrame Example" ></iframe>
</body>
</html>
Screenshot of popup (Bottom of the page in black color)
Update:-
I checked the cookies set for this website,
In normal browser tab when user clicks "OK" button.A new cookie is set e.g. in this case "cookieAcceptanceCookie"="accepted".Check below image,
Same i checked with IFrame and there too same cookie was set.Check below image.
So it looks like the issue remains in sending this cookie in subsequent requests.I guess normal browser tabs can send this cookie where as IFrame is not able to send it,hence this issue is coming in the IFrame.
This is actually a common privacy feature of browsers, that iframes aren't allowed to set Cookies. It's a protection against CSRF and an anti-tracking feature, because websites for a long time were tracking users via cookies that come from iframes.
You'll probably need to instruct your users to Allow third-party cookies in chrome://settings/content/cookies, possibly creating a page like this one.
If you controlled the sites inside the iframe, you could use SameSite=None ..... but unfortunately that's not applicable because you don't have control of them.
Below is my code:
<div style="border: solid 1px #000000; margin: 5px;">
<iframe src="http://www.w3schools.com" width="100%" height="300px" scrolling="yes"><p>Your browser does not support iframe.</p></iframe>
</div>
Contents of iframe works well in chrome but not in firefox. I've disabled add-ons but my iframe is still empty. Can anyone please help me?
If you are trying to add this Iframe on a SSL-encrypted website (https://), it won't work any more since Firefox 23 because Mozilla has decided to blocked all unencrypted content on encrypted websites (for example http-iframes on https-websites).
You can change this behaviour in your own Firefox installation by typing about:config in the address bar and setting security.mixed_content.block_active_content to false.
But that won't help you for all other FF23-visitors on your website.
As of 05/2018, the iframe lead is denied by browser due to X-Frame-Options header set to 'sameorigin'.
Tested the page with Firefox and getting blank iframe.
Here is what console says:
Load denied by X-Frame-Options: https://www.w3schools.com/ does not permit cross-origin framing.
Why that?I'll give Chrome console a chance, here's what it says:
Refused to display 'https://www.w3schools.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Basically, X-Frame-Options header (do not confuse that with CORS), is set to 'sameorigin', that means that the browser is allowed to display the iframe content only if embedded in same domain and same protocol (https://www.w3schools.com/ is not sameorigin of http://www.w3schools.com/).
Here are some docs aboiut x-frame-options:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
I don't know if its related but when I try to request w3schools by c# it responses 503 forbidden error. So they may use something to prevent showing up on iframes, etc. Facebook has similiar restrictions, you cannot display their likebox iframe unless you log in.
Why no one has mentioned CORS yet?
FROM mdn
Cross-Origin Resource Sharing (CORS) is a mechanism that uses
additional HTTP headers to let a user agent gain permission to access
selected resources from a server on a different origin (domain) than
the site currently in use. A user agent makes a cross-origin HTTP
request when it requests a resource from a different domain, protocol,
or port than the one from which the current document originated.
An example of a cross-origin request: A HTML page served from
http://domain-a.com makes an src request for
http://domain-b.com/image.jpg. Many pages on the web today load
resources like CSS stylesheets, images, and scripts from separate
domains, such as content delivery networks (CDNs).
For security reasons, browsers restrict cross-origin HTTP requests
initiated from within scripts. For example, XMLHttpRequest and the
Fetch API follow the same-origin policy. This means that a web
application using those APIs can only request HTTP resources from the
same domain the application was loaded from unless CORS headers are
used.
This means that the websites you are trying to enter from the iframe are set to deny requests from your site or others (if not all).
I had the same issue. For me the cause was a trailing slash at the end of the url.
Doesn't work:
<iframe src="http://example.com/some/sub/folder/"></iframe>
Works:
<iframe src="http://example.com/some/sub/folder"></iframe>
You need to have source file of iframe on localhost.
Firefox and Chrome doesn't display this iframe:
<iframe src="https://www.yourdomain.com/form.html"></iframe>
Works:
<iframe src="/form.html"></iframe>
I'm making an offline webpage that automatically logs into an online website.
The website uses ssl (https) and to login it uses a form (post variables)
The problem I'm encountering is the following:
The site only accepts my offline form, when I open the online login page first.
This is because the website uses (server-side) sessions which are made when opening the first page. (The purpose of the session is to detect a time-out)
When I first open the online website and then run my offline page everything works fine.
So I need to make my offline webpage open the online website before posting the form automatically.
I tryed this with an iframe, but this doesn't work in internet explorer, as it is a https website. (It does work in Chrome, firefox,...)
I was wondering if Ajax could send a https page request before posting my form. But I guess not as it is https.
Does anybody know a method to send a https page request just like the browser does, but without showing it's output? Afterward I can automatically submit my form.
Thanks in advance!
Internet Explorer treats iframes from other domains as third party content, and uses a separate set of security policies for them. The security zone settings are also in effect between file:/// "local machine"/"offline" webpages and "internet"/"online" webpages. Cookies are usually blocked from third party content (depending on your settings), which means that the unique session key set in the cookies won't be saved. Without this key, the site you are trying to log in to will "forget" your session/login.
Cross-domain AJAX request are also affected by security zones and cross-domain policies, but the settings may differ between IE versions.
There are ways around the limitations, using P3P policies, if you control the target web page. Cookie blocked/not saved in IFRAME in Internet Explorer shows how. But, if you do own the web page, it would be better to enable or implement your own "remember me" feature.
In your case, depending on if you are the only one to use your offline autologin webpage, perhaps allowing third party cookies in Internet Explorer will help. See Options > Privacy > Allow all cookies (or in a similar). This will allow others (mostly ad companies) to track you all over the internet though.
If the purpose for your autologin page is testing, rather than actually using the browser as a human being, perhaps you can automate both logging in and testing?
I want to have two facebook pages open at the same time as part of my html page.
So when you go to mypage.html, there will be displayed two facebook pages. Is this possible?
I get something like:
with code like:
<frameset cols="25%,75%">
or
<iframe height="*" src="http://www.facebook.com/photo.php?fbid=10150277739848763&set=pu.105012493762&type=1&theater" width="100%">
<p>Your browser does not support iframes.</p> </iframe>
I work on Facebook's security team and actually helped write the code that causes this. We do this (a form of frame busting) to prevent clickjacking attacks where an attacker can put Facebook in an iframe, hide it, and trick the user into clicking in the facebook frame and taking some action (e.g. posting a malicious link to their profile, etc).
While Jason's answer is going in the right direction, it's not true that browsers will give you access to the DOM of a page you insert in an iframe in your page. The Same Origin Policy dictates that javascript on one domain cannot access anything on a page on a different domain.
Facebook prevents you from linking directly to the actual site via IFRAME (or any frame). This is because any site putting Facebook in an IFRAME(or any frame) could use Javascript to access elements of the facebook page, including username and password fields.
There is no way around this. It is built in to the browsers themselves to send some information along in the request header that says it is being requested to be put in frame.
Gmail and several other sites do this as well.
There are specific situations where overriding the "x-frame-options" security policy is useful, such as in digital signage where it is desirable to show an organization's facebook page in a iframe alongside other signage iframes.
Clickjacking and phishing will not occur because the organization is displaying its own facebook page on its own browser-driven display devices.
If the browser doesn't provide an internal x-frame override on its "about:flags" page, you may need to install a browser extension to override x-frame-options on the signage device.
Trying to copy a cookie from second.com to first.com, with full control of both domains.
Previously an iFrame was used, however this is not able to work across all browsers as it touched on 'third-party cookies' which are hard to implement and impossible in Safari and Chrome.
The new approach uses a SCRIPT tag pointing to second.com and included in the HEAD of first.com. The server-side script is actually a piece of Java which reads the cookies sent with the request (the cookies from second.com) and the JavaScript returned executes on first.com and essentially duplicates the cookie here. This is working great in all browsers except IE, where IE appears to not be sending the second.com cookies with SCRIPT request, so the Java is not able to pickup the cookie value from second.com.
This is surely to do with IE security settings as when I put privacy to the lowest level it is working, but my question is why are the cookies being blocked at all? I thought the SCRIPT tag was not subject to the same origin policy (that AJAX and other technologies have to comply with).
Any solution to this without heading down the P3P privacy policy route?
It's definitely IE security settings, if you're attempting this you'll need to set a P3P compact privacy policy on the page which sets the cookie on first.com, even before you've reached second.com