Google Chrome cross domain cookie issue with iframe - google-chrome

I know this has been asked a few times, but on all the answers I found there was someone asking if it would still work and somebody else saying that it doesn't, so I was wondering if there is a solution to this problem that still works with the latest version of chrome:
Lets say we have website with an iframe embedded in it, the iframe source is from another host. The page inside the iframe needs cookies to work, but Google Chrome seems to refuse to set cookies that are set within the iframe. (This only happens when "block 3rd party cookies" is checked which seems to be happening on its own because I have multiple reports from different users who didn't touch the advanced options)
I have control over both of the sites, though I can only modify the html on the page that contains the iframe, no server side stuff.
Things I have tried so far that didn't work:
Emedding an image from the same host as the iframe's source
making a post request to the iframe
setting up a P3P header
I can also send messages using xdm, though I don't know if that could help.
If anyone has any further ideas it would be greatly apreciated! I feel like there must be a solution to this problem somewhere

Setting cookies inside an iFrame can be troublesome. However, iFrame can access cookies set outside the iFrame. You can show the page in a popup window which sets the necessary cookies (like authentication, etc) and then access these cookies from within the iFrame.
This is very helpful in case you want to authenticate user on some other domain. Just show a popup, authenticate and set cookies, then access these cookies on your site from iFrame.

Related

Chrome browser back for multiple Youtube API iframe has load wrongly

I have problem on my application with multiple youtube load in one page. I use youtube API to load the iframe.
However, in chrome found one intermittent bugs. Sometime when go to another page and click browser back, the iframe youtube will loaded wrongly.
Checked the script it was call correct youtube ID for each tag, with inspect element to check the iframe youtube ID and it also correct. But the iframe content is wrong when browser back.
Kindly advise. Thanks.
There's actually a logged issue 395791 in Chromium issues tracker, and based from that thread, a workaround to avoid this bug which already worked for some is to give each iframe a name, since the HistoryItems would get matched up correctly.

How to allow https content within an iframe on a http site?

I've a site using http and I need to put an https iframe link in it. The iframe is working fine in all browsers except in Internet Explorer. I know it's related to domain security, but need to solve it.
The error message shown in IE: "This content cannot be displayed in a frame."
How can I solve this issue?
I also tried to change the https link like: "//domain.com" and https://managewp.com/user-guide/faq/how-to-enable-iframe-in-internet-explorer-10 but both didn't work.
Please help me. Thanks in Advance.
This content cannot be displayed in a frame.
Is the message you get when you attempt to frame a page whose owner has asked for it not to be framed (using the X-Frame-Options header). This is not related to HTTP-vs-HTTPS, and it should fail on other newer browsers too.

Hyperlinks in a cloacked website

I have a website which is hosted via my providers webhosting.
I have bought another domainname and forwarded my current website to it.
The technique it uses is cloacking, so my old website is a frame in my new domain.
Everything works perfectly but when I click a hyperlink that goes outside the website (e.g. facebook page), the page won't show.
I have the following error in my Google Chrome console:
Refused to display Hyperlink in a frame because it set X-Frame-Options to DENY.
Any link, tutorial help will be appreciated.
The X-Frame-Options is submitted by pages if they don't want to be displayed in frame or iframe (see mdn: The X-Frame-Options response header)
The message tells you that Facebook tells the browser, that it does not want to be displayed in a frame. To solve this problem you need to set the target attribute for these links to _top or _parent. But be award that the user could prevent these options by browser extensions.
If you plan to use the second domain instead of the first one you should think over doing a 301 redirect. What you should avoid is to find a solution that displays the same content (without iframe) on both domains, because of double content.

automatic login to website only works when session is made

I'm making an offline webpage that automatically logs into an online website.
The website uses ssl (https) and to login it uses a form (post variables)
The problem I'm encountering is the following:
The site only accepts my offline form, when I open the online login page first.
This is because the website uses (server-side) sessions which are made when opening the first page. (The purpose of the session is to detect a time-out)
When I first open the online website and then run my offline page everything works fine.
So I need to make my offline webpage open the online website before posting the form automatically.
I tryed this with an iframe, but this doesn't work in internet explorer, as it is a https website. (It does work in Chrome, firefox,...)
I was wondering if Ajax could send a https page request before posting my form. But I guess not as it is https.
Does anybody know a method to send a https page request just like the browser does, but without showing it's output? Afterward I can automatically submit my form.
Thanks in advance!
Internet Explorer treats iframes from other domains as third party content, and uses a separate set of security policies for them. The security zone settings are also in effect between file:/// "local machine"/"offline" webpages and "internet"/"online" webpages. Cookies are usually blocked from third party content (depending on your settings), which means that the unique session key set in the cookies won't be saved. Without this key, the site you are trying to log in to will "forget" your session/login.
Cross-domain AJAX request are also affected by security zones and cross-domain policies, but the settings may differ between IE versions.
There are ways around the limitations, using P3P policies, if you control the target web page. Cookie blocked/not saved in IFRAME in Internet Explorer shows how. But, if you do own the web page, it would be better to enable or implement your own "remember me" feature.
In your case, depending on if you are the only one to use your offline autologin webpage, perhaps allowing third party cookies in Internet Explorer will help. See Options > Privacy > Allow all cookies (or in a similar). This will allow others (mostly ad companies) to track you all over the internet though.
If the purpose for your autologin page is testing, rather than actually using the browser as a human being, perhaps you can automate both logging in and testing?

Open Facebook page in iframe or frame?

I want to have two facebook pages open at the same time as part of my html page.
So when you go to mypage.html, there will be displayed two facebook pages. Is this possible?
I get something like:
with code like:
<frameset cols="25%,75%">
or
<iframe height="*" src="http://www.facebook.com/photo.php?fbid=10150277739848763&set=pu.105012493762&type=1&theater" width="100%">
<p>Your browser does not support iframes.</p> </iframe>
I work on Facebook's security team and actually helped write the code that causes this. We do this (a form of frame busting) to prevent clickjacking attacks where an attacker can put Facebook in an iframe, hide it, and trick the user into clicking in the facebook frame and taking some action (e.g. posting a malicious link to their profile, etc).
While Jason's answer is going in the right direction, it's not true that browsers will give you access to the DOM of a page you insert in an iframe in your page. The Same Origin Policy dictates that javascript on one domain cannot access anything on a page on a different domain.
Facebook prevents you from linking directly to the actual site via IFRAME (or any frame). This is because any site putting Facebook in an IFRAME(or any frame) could use Javascript to access elements of the facebook page, including username and password fields.
There is no way around this. It is built in to the browsers themselves to send some information along in the request header that says it is being requested to be put in frame.
Gmail and several other sites do this as well.
There are specific situations where overriding the "x-frame-options" security policy is useful, such as in digital signage where it is desirable to show an organization's facebook page in a iframe alongside other signage iframes.
Clickjacking and phishing will not occur because the organization is displaying its own facebook page on its own browser-driven display devices.
If the browser doesn't provide an internal x-frame override on its "about:flags" page, you may need to install a browser extension to override x-frame-options on the signage device.