Google Chrome Console Error - google-chrome

It's a Shopify App.Shopify that loads my web application on their iframe.
It works great on Mozila Firefox, IE and other browsers except on Chrome. When I try to load on Chrome, it shows following error.
Refused to frame 'http://5281a995.ngrok.io/' because it violates the
following Content Security Policy directive: "child-src 'self'
https://* shopify-pos://*". Note that 'frame-src' was not explicitly
set, so 'child-src' is used as a fallback.

It looks like the app is not using SSL. Try adjusting your code and/or the callback URL so that your embedded app is served over https:// and not http://.

Related

Chrome extension, because it violates the following Content Security Policy directive but only after refreshing window

I made a chrome extension that loads an iframe on the gmail url. So far so good!
When I install the extension it loads the I framed with no problems but here comes the problem. If I refresh or access gmail again it doesn't work anymore with the following error, and no other errors.
Refused to frame 'https://...........com/' because it violates the
following Content Security Policy directive: "frame-src 'self'
https://clients4.google.com/insights/consumersurveys/
https://calendar.google.com/accounts/ https://ogs.google.com
https://onegoogle-autopush.sandbox.google.com
https://accounts.google.com/ https://apis.google.com/u/
https://apis.google.com/_/streamwidgets/
https://clients6.google.com/static/
https://content.googleapis.com/static/
https://mail-attachment.googleusercontent.com/
https://www.google.com/calendar/ https://calendar.google.com/calendar/
https://docs.google.com/ https://drive.google.com
https://.googleusercontent.com/docs/securesc/
https://feedback.googleusercontent.com/resources/
https://www.google.com/tools/feedback/
https://support.google.com/inapp/
https://.googleusercontent.com/gadgets/ifr
https://hangouts.google.com/ https://talkgadget.google.com/
https://.talkgadget.google.com/
https://www-gm-opensocial.googleusercontent.com/gadgets/
https://plus.google.com/ https://wallet.google.com/gmail/
https://www.youtube.com/embed/
https://clients5.google.com/pagead/drt/dn/
https://clients5.google.com/ads/measurement/jn/
https://www.gstatic.com/mail/ww/ https://www.gstatic.com/mail/intl/
https://clients5.google.com/webstore/wall/
https://ci3.googleusercontent.com/ https://workspace.google.com/u/
https://workspace.google.com/marketplace/appfinder
https://gsuite.google.com/u/
https://gsuite.google.com/marketplace/appfinder
https://www.gstatic.com/mail/promo/ https://notifications.google.com/
https://tracedepot-pa.clients6.google.com/static/
https://staging-taskassist-pa-googleapis.sandbox.google.com
https://taskassist-pa.clients6.google.com
https://.prod.amp4mail.googleusercontent.com/
https://.client-channel.google.com/client-channel/client
https://clients4.google.com/invalidation/lcs/client
https://tasks.google.com/embed/ https://keep.google.com/companion
https://addons.gsuite.google.com
https://contacts.google.com/widget/hovercard/v/2
https://gsuite.google.com
https://.googleusercontent.com/confidential-mail/attachments/".
Now. You are wondering if I put the CSP in my header. The answer is yes. I have header("Content-Security-Policy: frame-src 'self' https://*.google.com;"); in my php and the header si loaded. But the question I can't answer is: Is Chrome seeing errors after the page refresh and why?
In theory if there is a problem in the CSP it should block the iframe from the first moment, and not after a while.
Do you know anything about this?
Refused to frame 'https://...........com/' because it violates the
following Content Security Policy directive: "frame-src 'self' ... Google's domains here ...
It's not your CSP, but some of Google's iframe publish its own. Because commonly Google does not allow to embed own into third-party.
Most interesting part: 'https://...........com/' is hidden (is here your domain or not?).
Is Chrome seeing errors after the page refresh and why?
Google's services based on a lot of it own iframes, wich inter each other based on Cookie.
For example, you can embed https://gmail.com into iframe, but if you are logged into account (have auth Cookies), Gmail does auto redirect you to https://mail.google.com/mail/u/0/ page which does not allow iframing (because of X-Frame-Options deny).
Behavior of iframes of Google could be very complicated, so a exact answer "Why" is not possible without detail researches.
Anyway embed of Google services (not officially intended for embedding) into iframe is not a good idea. Google does not allow that because of security.

Safari only: Refused to connect to ... because it does not appear in the connect-src directive of the Content Security Policy

When using Google Analytics, I'm getting the following error from Safari 13.1 but not from Chrome:
Refused to connect to https://www.google-analytics.com/j/collect?XYZ
because it does not appear in the connect-src directive of the Content Security Policy.
My application doesn't try to connect to www.google-analytics.com, but it downloads a script from www.googletagmanager.com which in turn downloads a script from www.google-analytics.com.
My CSP are configured as follows:
script-src 'self' 'unsafe-eval' data: www.google-analytics.com www.googletagmanager.com www.google.com www.gstatic.com
connect-src 'self'
So as Safari says, I don't have google-analytics in connect-src, but that doesn't seem to be a problem for Chrome.
Is my CSP wrong (and Chrome is being too permissive) or is this a bug in Safari?
Safari is right. Chrome is being too permissive:
The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript.
Note that this statement is not qualified.
Chrome also violates other postulates of CSP. For example, blocked-uri for different origins requires that the URI path is stripped, but Chrome doesn't do that and Safari does.
At this point in time Safari seems to be more compliant/strict than Chrome, but in any case you should go by the stricter browser because, well, you don't really have a choice...

<iframe> and <object> are both blank, but only in Firefox

I am attempting to embed one site into another site. I control both servers, which I will refer to here as "site1.com" (the site in the browser) and "site2.com" (the site I am trying to embed).
HTML embed code
Attempt 1, using iframe tag:
<iframe height="600" width="600" name="my other site"
src="https://site2.com/foo/bar">
Unable to display--your browser does not support frames.
</iframe>
Attempt 2, using object tag:
<object type="text/html" height="600" width="600" name="my other site"
data="https://site2.com/foo/bar"></object>
Things I know are not the problem
Secure/insecure mismatch
I've read that Firefox will not allow an HTTP embed into an HTTPS page. Both sites are HTTPS, so there is no mismatch. The loaded resources (CSS, etc) are also https, from same origin, so there is no mixed-content problem.
I have tried setting security.mixed_content.block_active_content to false, in case I was mistaken about this, but the iframe was still blank.
Invalid or untrusted certificates
Both sites are using valid certificates, signed by a proper trusted authority, and are not expired. In fact, we are using a subdomain wildcard certificate, so they are both using the same certificate (they both are in the same subdomain).
X-Frame-Options
The site that I am trying to embed has this response header:
X-Frame-Options: ALLOW-FROM SITE1.COM
Content-Security-Policy
The site that I am trying to embed has this response header (wrapped here for readability):
Content-Security-Policy:
frame-ancestors https://site1.com;
default-src 'self';
script-src https://site1.com 'self' 'unsafe-inline';
style-src https://site1.com 'self' 'unsafe-inline'
Extra disclosure, possibly not needed - these headers are being generated by a Django application server, using this config and the "django-csp" module.
X_FRAME_OPTIONS = 'Allow-From site1.com'
CSP_FRAME_ANCESTORS = ('https://site1.com',)
CSP_STYLE_SRC = ('https://site1.com', "'self'", "'unsafe-inline'")
CSP_SCRIPT_SRC = ('https://site1.com', "'self'", "'unsafe-inline'")
CORS
My understanding is that CORS is only in play when the request contains an "Origin" header. That doesn't seem to be happening here. I have also tried addressing CORS by using this header:
Access-Control-Allow-Origin: https://site1.com
But that appears to have no effect.
Ad blocker
I do not have an ad blocker in this Firefox install. I also removed all of my extensions and re-tested after a Firefox restart, the "blank iframe" behavior remains the same with no extensions installed at all.
Observed behavior
I have tested using the following browsers.
Google Chrome 58.0.3029.81 (64-bit) (macOS)
Safari 10.1 (macOS)
Firefox 53.0 (64-bit) (macOS)
Microsoft Edge 38.14393.0.0 (Windows 10)
Using Chrome, Safari, and Edge, the frame is shown like I expect - site2.com appears as a box inside of the site1.com page.
Using Firefox, I am shown an empty space of the size specified (600x600). If I used iframe, then there is a black border around it. If I used object, it's just a blank area with no border.
The most interesting thing is that if I open the developer console and reload the page, I see the requests to fetch site1.com and its CSS and so on, but there are no requests made for site2.com. It isn't that there is a problem showing site2.com, it is never requested at all.
Also, the developer console shows no errors or warnings about this. If there were an error condition or security exception preventing the loading of the second site, I would expect some sort of warning to be logged.
This has been driving me crazy for a few days. Any suggestions appreciated.
I reproduced the issue on my server which serves 2 domains, and then fixed it this way:
X-Frame-Options: ALLOW-FROM https://SITE1.COM
I added https://, as seen in MDN page for X-Frame-Options
You can observe the difference here (only with Firefox of course, as with other browsers both frames are shown): I pushed a php page that inserts the header without or with https://, and created this fiddle that insert 2 iframes: Firefox shows first iframe as empty, and second one with content (which echoes the value in header) on the right.
Since you are forced to put a "serialized origin" (protocol+FQDN), I wondered if you can put multiple entries, or wildcards. My understanding of RFC 7034 says you cannot.
Now about this detail:
The most interesting thing is that if I open the developer console and
reload the page, I see the requests to fetch site1.com and its CSS and
so on, but there are no requests made for site2.com. It isn't that
there is a problem showing site2.com, it is never requested at all.
That's because it was cached. I also saw that, but a force-refresh rightly showed a new request was made.
If you knew the source code (right click and view source of url to embed - but you control it in this case so you can copy and paste) and it was only a reasonably small amount of code (probable because you're using an iframe), then you could use the HTML5 srcdoc attribute to embed the html code, instead of pointing to the url. This would save a lot of hassle regarding unknown factors regarding the site you want to embed (CORS etc..) which you would not usually know if you didn't have control over the second site.
According to caniuse.com the srcdoc property has full support in Firefox since vsn 25 onwards (so since Sept 2013).
Hope this helps (Here's a tested jsfiddle example)

iframe not working in chrome browser but safari working correctly

i'm using iframe for loading third party web site. not(youtube,linkedIn) it's ex: zomato
its not working in chrome .it say like this in console
Refused to display 'https://www.zomato.com/' in a frame because an ancestor violates the
following Content Security Policy directive: "frame-ancestors 'self'".
but same thing is working in safari browser .
Apparently, zomato has a Content Security Policy which prevents being loaded in iframe of other domains.
"frame-ancestors 'self'" means domain of parent of zomato can only be the same as https://www.zomato.com/.
It works in safari because safari don't support this CSP setting yet.
chromium-browser --disable-web-security
From the chromium source:
// Don't enforce the same-origin policy. (Used by people testing their sites.)

iframe contents cant appear in Firefox

Below is my code:
<div style="border: solid 1px #000000; margin: 5px;">
<iframe src="http://www.w3schools.com" width="100%" height="300px" scrolling="yes"><p>Your browser does not support iframe.</p></iframe>
</div>
Contents of iframe works well in chrome but not in firefox. I've disabled add-ons but my iframe is still empty. Can anyone please help me?
If you are trying to add this Iframe on a SSL-encrypted website (https://), it won't work any more since Firefox 23 because Mozilla has decided to blocked all unencrypted content on encrypted websites (for example http-iframes on https-websites).
You can change this behaviour in your own Firefox installation by typing about:config in the address bar and setting security.mixed_content.block_active_content to false.
But that won't help you for all other FF23-visitors on your website.
As of 05/2018, the iframe lead is denied by browser due to X-Frame-Options header set to 'sameorigin'.
Tested the page with Firefox and getting blank iframe.
Here is what console says:
Load denied by X-Frame-Options: https://www.w3schools.com/ does not permit cross-origin framing.
Why that?I'll give Chrome console a chance, here's what it says:
Refused to display 'https://www.w3schools.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Basically, X-Frame-Options header (do not confuse that with CORS), is set to 'sameorigin', that means that the browser is allowed to display the iframe content only if embedded in same domain and same protocol (https://www.w3schools.com/ is not sameorigin of http://www.w3schools.com/).
Here are some docs aboiut x-frame-options:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
I don't know if its related but when I try to request w3schools by c# it responses 503 forbidden error. So they may use something to prevent showing up on iframes, etc. Facebook has similiar restrictions, you cannot display their likebox iframe unless you log in.
Why no one has mentioned CORS yet?
FROM mdn
Cross-Origin Resource Sharing (CORS) is a mechanism that uses
additional HTTP headers to let a user agent gain permission to access
selected resources from a server on a different origin (domain) than
the site currently in use. A user agent makes a cross-origin HTTP
request when it requests a resource from a different domain, protocol,
or port than the one from which the current document originated.
An example of a cross-origin request: A HTML page served from
http://domain-a.com makes an src request for
http://domain-b.com/image.jpg. Many pages on the web today load
resources like CSS stylesheets, images, and scripts from separate
domains, such as content delivery networks (CDNs).
For security reasons, browsers restrict cross-origin HTTP requests
initiated from within scripts. For example, XMLHttpRequest and the
Fetch API follow the same-origin policy. This means that a web
application using those APIs can only request HTTP resources from the
same domain the application was loaded from unless CORS headers are
used.
This means that the websites you are trying to enter from the iframe are set to deny requests from your site or others (if not all).
I had the same issue. For me the cause was a trailing slash at the end of the url.
Doesn't work:
<iframe src="http://example.com/some/sub/folder/"></iframe>
Works:
<iframe src="http://example.com/some/sub/folder"></iframe>
You need to have source file of iframe on localhost.
Firefox and Chrome doesn't display this iframe:
<iframe src="https://www.yourdomain.com/form.html"></iframe>
Works:
<iframe src="/form.html"></iframe>