i got following error when i click on mailto: link in colorbox.
its work without color box, but unfortunately i need to use color box.
i tried header('X-Frame-Options: GOFORIT'); but it does't work.
and it show following error message in console.
Refused to display document because display forbidden by X-Frame-Options.
Any idea?
I've never messed with X-Frame-Options (though I did work directly for the guy that wrote the book on clickjacking). According to Mozilla, there are only two acceptable values:
DENY
SAMEORIGIN
And these are returned by the iframed source server, which it sounds like you have control over. Both of which are defensive, not permissive.
What happens if you turn off the header outright?
Also, to avoid issues with users who use their web mail client (like me) who may not want to leave the colorbox or have the webmail client bound in an iframe, try setting target="_blank" on the link. Perhaps escaping the iframe will alleviate other issues.
Some sites forbid their pages from being displayed in an iframe. If that is the situation you are running into, then there isn't much that can be done. However, I would not recommend trying to colorbox an mailto link, as you have no control over how a visitors handle those kinds of links.
Related
As context, I would say that I am suffering from a self diagnosed Youtube Addiction. For which, I decided to use Blocksite extension to block the said website which worked pretty well. But after sometime, I came across a page called brave://extensions which is part of the internal settings of the Brave browser. Due to which, my addiction resurfaced stronger than before as I could now toggle the blocksite extension off through this page. I have tried to block this webpage as well through the extension but it doesn't work on this page as it said the url is incorrect since it is not exactly a url but internal settings tab of the browser. Is there a way I can block this page and other internal tabs from opening? Please help.
Use channel blocker and unhook extensions to get rid of unwanted content on youtube.
With the first one, you basically block youtube channels that come to the search result all the time. And with the hook, you have many options. You are not given video suggestions anymore.
So I was making a cool homepage to replace my default homepage of google chrome of my phone, which I made
And I was trying to use the top sites provided by chrome to skip the extra work of adding sites manually
I somehow found the URL
chrome://explore
Which works as expected when entered manually in chrome
But when I use the URL in the href of the anchor tag, it simply doesn't work
Is there a way to make it work or any other website that provides the same thing
comment:
share some more details. Getting any errors in console or share your code.
ps: i can't add direct comment(newbie) that's why adding comment here.
It's not allowed for Chromium browsers. As it's not secure.
Long explanation:
If it were allowed - any website can request this with let's say fetch and read any of your chrome://history page.
We have on the public part of our web app some mailto: links in the footer. Someone or something (aka bot) keeps hitting these links and navigating to https://basurl/mailto:some#email.com which results in errors as the webserver isn't happy with the colon in the url.
I assume this is a client setting and outside of our control, correct?
What are the option to prevent this beside obfuscating the link with javascript, also hiding it for bots?
If this is a defective client and not a bot the javascript solution wouldn't help either.
I could supress this kind of error but this is more preventing the symptom instead of the cause...
I assume this is a client setting and outside of our control, correct?
Yes.
What are the option to prevent this beside obfuscating the link with javascript, also hiding it for bots?
It's a bad bot. It probably isn't doing anything good for you. You could examine the IP ranges it comes from and the user agent it sends and block it entirely.
I am trying to display images from a non-ssl url source on my ssl site through relative linking, making sure the padlock shows up green and does not message mixed content. Though I understand this might not be the best way going forward I have 2 questions:
1) I have 2 sources:
http://bc01.rp-online.de/polopoly_fs/benito-raman-fortuna-duesseldorf-2017-1.7053738.1516622253!httpImage/1633501625.jpg_gen/derivatives/d950x950/1633501625.jpg
and
http://bilder.bild.de/fotos-skaliert/prinzessin-eugenie-ist-verlobt-200668711-54556312/3,w=120,c=0.bild.jpg
If I convert the first source to:
//bc01.rp-online.de/polopoly_fs/benito-raman-fortuna-duesseldorf-2017-1.7053738.1516622253!httpImage/1633501625.jpg_gen/derivatives/d950x950/1633501625.jpg
it will not be displayed in Chrome.
If I convert the second source to:
//bilder.bild.de/fotos-skaliert/prinzessin-eugenie-ist-verlobt-200668711-54556312/3,w=120,c=0.bild.jpg
it will be displayed in Chrome and padlock shows green.
Can someone explain me the difference?
2) Is there a better way to show images from non-SSL URL's external sources in a SSL site making sure the padlock is green.
Any help would be highly appreciated.
Funny you should post this. I had a really odd behaviour for something similar to this today and you have no choice but to use //example.com/...... and this is just a (Google) Chrome thing.
The difference here is that in using //, it will automatically resolve to the respective protocol; which you should use and this for JS scripts, images, forms etc.
NOTE: If there is any mix of http/https anywhere in your code, then that too will cause havoc and will throw a message in any browser about mixed content.
If your urls starts with "//" it means that the browser should use the protocol of the parent webpage. In your case it's https.
So your two links becames:
https://bc01.rp-online.de/polopoly_fs/benito-raman-fortuna-duesseldorf-2017-1.7053738.1516622253!httpImage/1633501625.jpg_gen/derivatives/d950x950/1633501625.jpg
But bc01.rp-online.de doesn't have a valid https certificate.
and
https://bilder.bild.de/fotos-skaliert/prinzessin-eugenie-ist-verlobt-200668711-54556312/3,w=120,c=0.bild.jpg
which works perfectly.
If you include http images in your https website, chrome doesn't show the "secure" green padlock because your website is not fully secure: some items may be intercepted/modified by a third party.
To have the green padlock you should only use secure (https) images/resources. If these images are not available with https (or if their https links are broken or redirect to http) then you need to find another solution, such as hosting yourself the images.
Is there a way to create a Chrome extension to trick a site loaded in an iFrame into thinking it's not in a frame?
We load clients' sites into an iframe for demos, but some resources get blocked due to them disallowing being loaded in an iFrame. We'd like to load these sites into a frame as though you were browsing directly to the site in a standalone tab.
You should use the Chrome's webRequest in order to intercept the server response. See the API. Here you go for onHeadersReceived event where you are in control of any response headers => you need to remove X-Frame-Options header from the response.
That's pretty much it, if this is the only problem in loading those sites.
However, for the sake of completeness, in order to fully trick the browser (which you most likely do not need) you need also to inject a script into every page that would clear up some things like window.parent by simple removing them from window object and some other things like origin etc. However removing the header would work for 99.9999% of your use cases.