I am attempting to embed one site into another site. I control both servers, which I will refer to here as "site1.com" (the site in the browser) and "site2.com" (the site I am trying to embed).
HTML embed code
Attempt 1, using iframe tag:
<iframe height="600" width="600" name="my other site"
src="https://site2.com/foo/bar">
Unable to display--your browser does not support frames.
</iframe>
Attempt 2, using object tag:
<object type="text/html" height="600" width="600" name="my other site"
data="https://site2.com/foo/bar"></object>
Things I know are not the problem
Secure/insecure mismatch
I've read that Firefox will not allow an HTTP embed into an HTTPS page. Both sites are HTTPS, so there is no mismatch. The loaded resources (CSS, etc) are also https, from same origin, so there is no mixed-content problem.
I have tried setting security.mixed_content.block_active_content to false, in case I was mistaken about this, but the iframe was still blank.
Invalid or untrusted certificates
Both sites are using valid certificates, signed by a proper trusted authority, and are not expired. In fact, we are using a subdomain wildcard certificate, so they are both using the same certificate (they both are in the same subdomain).
X-Frame-Options
The site that I am trying to embed has this response header:
X-Frame-Options: ALLOW-FROM SITE1.COM
Content-Security-Policy
The site that I am trying to embed has this response header (wrapped here for readability):
Content-Security-Policy:
frame-ancestors https://site1.com;
default-src 'self';
script-src https://site1.com 'self' 'unsafe-inline';
style-src https://site1.com 'self' 'unsafe-inline'
Extra disclosure, possibly not needed - these headers are being generated by a Django application server, using this config and the "django-csp" module.
X_FRAME_OPTIONS = 'Allow-From site1.com'
CSP_FRAME_ANCESTORS = ('https://site1.com',)
CSP_STYLE_SRC = ('https://site1.com', "'self'", "'unsafe-inline'")
CSP_SCRIPT_SRC = ('https://site1.com', "'self'", "'unsafe-inline'")
CORS
My understanding is that CORS is only in play when the request contains an "Origin" header. That doesn't seem to be happening here. I have also tried addressing CORS by using this header:
Access-Control-Allow-Origin: https://site1.com
But that appears to have no effect.
Ad blocker
I do not have an ad blocker in this Firefox install. I also removed all of my extensions and re-tested after a Firefox restart, the "blank iframe" behavior remains the same with no extensions installed at all.
Observed behavior
I have tested using the following browsers.
Google Chrome 58.0.3029.81 (64-bit) (macOS)
Safari 10.1 (macOS)
Firefox 53.0 (64-bit) (macOS)
Microsoft Edge 38.14393.0.0 (Windows 10)
Using Chrome, Safari, and Edge, the frame is shown like I expect - site2.com appears as a box inside of the site1.com page.
Using Firefox, I am shown an empty space of the size specified (600x600). If I used iframe, then there is a black border around it. If I used object, it's just a blank area with no border.
The most interesting thing is that if I open the developer console and reload the page, I see the requests to fetch site1.com and its CSS and so on, but there are no requests made for site2.com. It isn't that there is a problem showing site2.com, it is never requested at all.
Also, the developer console shows no errors or warnings about this. If there were an error condition or security exception preventing the loading of the second site, I would expect some sort of warning to be logged.
This has been driving me crazy for a few days. Any suggestions appreciated.
I reproduced the issue on my server which serves 2 domains, and then fixed it this way:
X-Frame-Options: ALLOW-FROM https://SITE1.COM
I added https://, as seen in MDN page for X-Frame-Options
You can observe the difference here (only with Firefox of course, as with other browsers both frames are shown): I pushed a php page that inserts the header without or with https://, and created this fiddle that insert 2 iframes: Firefox shows first iframe as empty, and second one with content (which echoes the value in header) on the right.
Since you are forced to put a "serialized origin" (protocol+FQDN), I wondered if you can put multiple entries, or wildcards. My understanding of RFC 7034 says you cannot.
Now about this detail:
The most interesting thing is that if I open the developer console and
reload the page, I see the requests to fetch site1.com and its CSS and
so on, but there are no requests made for site2.com. It isn't that
there is a problem showing site2.com, it is never requested at all.
That's because it was cached. I also saw that, but a force-refresh rightly showed a new request was made.
If you knew the source code (right click and view source of url to embed - but you control it in this case so you can copy and paste) and it was only a reasonably small amount of code (probable because you're using an iframe), then you could use the HTML5 srcdoc attribute to embed the html code, instead of pointing to the url. This would save a lot of hassle regarding unknown factors regarding the site you want to embed (CORS etc..) which you would not usually know if you didn't have control over the second site.
According to caniuse.com the srcdoc property has full support in Firefox since vsn 25 onwards (so since Sept 2013).
Hope this helps (Here's a tested jsfiddle example)
I have created a site that lists a series of links to external websites about a specific topic and then when the user clicks on such links the links open in an iframe.
It works locally but on my shared hosting server every link that is clicked opens in the full browser (as if target were set to "_top" instead of "myIFRAME").
I have tried adding an .htaccess file to my root with this:
Header always append X-Frame-Options ALLOWALL
and this:
add_header X-Frame-Options "ALLOWALL"
as well as this:
Header always append X-Frame-Options ALLOW-FROM http://www.example.com
In each of these cases I have verified with Google Chrome Dev Tools that the headers were being set and they were, but the pages keep openig in the main browser.
Is there anything else I can do?
Or my only solution to swap iframes for deprecated frames?
Thanks
Actually I was able to make it work.
I added a:
<base target="myTargetFrameID">
in the section of my main html file.
And I also added this:
Header always unset X-Frame-Options
to an .htaccess file in the folder of the script (which I read about here: http://osric.com/chris/accidental-developer/2016/02/per-directory-x-frame-options-header-apache/)
Works now.
Thanks
You can't, and there is no workaround. Framesets won't work either; X-Frame-Options applies to all types of frames, not just iframes.
The purpose of the X-Frame-Options header is to allow a web site to prevent itself from being displayed in a frame. You cannot override it by setting headers on a page on your own domain; that would make the header useless.
If you want to link to these sites, you will need to link to them normally. You cannot display them in frames.
I have a simple flex application that I created for testing. I download "flex-iframe-1.4.6.zip" library and using this library I am trying to display a url. But it does not show the web page instead it shows an error: "This content cannot be displayed in a frame".
<flexiframe:IFrame id="mapIFrame" visible="true"
source="http://www.google.com" width="500" height="500" label="Google"/>
How can I solve this problem?
The message "This content cannot be displayed in a frame" is coming from Internet Explorer.
See IE8 Security Part VII: ClickJacking Defenses:
Web developers can send a HTTP response header named X-FRAME-OPTIONS
with HTML pages to restrict how the page may be framed. If the
X-FRAME-OPTIONS value contains the token DENY, IE8 will prevent the
page from rendering if it will be contained within a frame. If the
value contains the token SAMEORIGIN, IE will block rendering only if
the origin of the top level-browsing-context is different than the
origin of the content containing the X-FRAME-OPTIONS directive.
google.com`s current response header contains: X-Frame-Options: SAMEORIGIN
So the answer is: you can't use http://www.google.com in an iframe.
Accordingly, the example in the flex-iframe users guide is outdated (last edit 2 years ago).
I've a site using http and I need to put an https iframe link in it. The iframe is working fine in all browsers except in Internet Explorer. I know it's related to domain security, but need to solve it.
The error message shown in IE: "This content cannot be displayed in a frame."
How can I solve this issue?
I also tried to change the https link like: "//domain.com" and https://managewp.com/user-guide/faq/how-to-enable-iframe-in-internet-explorer-10 but both didn't work.
Please help me. Thanks in Advance.
This content cannot be displayed in a frame.
Is the message you get when you attempt to frame a page whose owner has asked for it not to be framed (using the X-Frame-Options header). This is not related to HTTP-vs-HTTPS, and it should fail on other newer browsers too.
I have a website which is hosted via my providers webhosting.
I have bought another domainname and forwarded my current website to it.
The technique it uses is cloacking, so my old website is a frame in my new domain.
Everything works perfectly but when I click a hyperlink that goes outside the website (e.g. facebook page), the page won't show.
I have the following error in my Google Chrome console:
Refused to display Hyperlink in a frame because it set X-Frame-Options to DENY.
Any link, tutorial help will be appreciated.
The X-Frame-Options is submitted by pages if they don't want to be displayed in frame or iframe (see mdn: The X-Frame-Options response header)
The message tells you that Facebook tells the browser, that it does not want to be displayed in a frame. To solve this problem you need to set the target attribute for these links to _top or _parent. But be award that the user could prevent these options by browser extensions.
If you plan to use the second domain instead of the first one you should think over doing a 301 redirect. What you should avoid is to find a solution that displays the same content (without iframe) on both domains, because of double content.