ssl showing error in website - javascript

In my website, there is an error occurred based on the ssl. On the main page, there is a youtube video will play, when the site load. I think the ssl error is due to this because after inspecting element, it shows the following error:
1) Unsafe JavaScript attempt to access frame with URL https://dev.myproject.info/ from frame with URL https://www.youtube.com/embed/Zr4JwPb99qU?autoplay=1. Domains, protocols and ports must match.
2) The page at https://dev.myproject.info/ displayed insecure content from http://r4---sn-ci5gup-h55e.googlevideo.com/crossdomain.xml.
3) The page at https://dev.myproject.info/ displayed insecure content from http://r4---sn-ci5gup-h55e.googlevideo.com/videoplayback?algorithm=throttle-factor&burst=40&clen=1704783&cpn=LbUqMfNNay39Ml-
I don't know what to do. Any help is much appreciated. Thanks in advance.

The first warning you can't get rid off, it always shows up if an iframe tries to access data from another iframe not hosted from the same domain. It happens with a lot of third-party content (like a LinkedIn button on your site for example) since you can't check if you have access without triggering the warning. But you can safely ignore it as it won't show up to end users.
As for the other two, as this data is loaded by the youtube iframe which you don't have control over you can't get rid of it. I think this has only started happening recently and Google/Youtube will have to fix it on their end. I guess the only solution for now is to open videos in another window (which isn't really ideal).

Hi I actually went through something similar with my JQUERY link for HTTPS/SSL.
Originally it was: "http://code.jquery.com/jquery-1.9.1.min.js"
Then I changed it to this: "//code.jquery.com/jquery-1.9.1.min.js"
So that it will register it with https or http. That should do the trick.
You can also view this article in stackoverflow: Why do I have both HTTPS and HTTP links on site, need them all secure!
Good luck!

Related

How can I load an alternate URL if, upon trying to load a URL in a frame, it times out?

Say I have set up a page with 8 frames, each frame tries to load different URLs in my LAN. If one or more of these URLs (belonging to local web servers) fail to load, I get the ugly error screen. Is there any way I can force that frame(s) to load an alternate URL if it times out or we can't catch that?
ThankS!
Your post lacks sufficient information to answer it fully.
This Answer is just resource help & knownledge. Hope you find it helpful.
If you are http://localhost/ as your main page, and the iframes are on the same host domain http://localhost/ you should be able to read the iframes & their content with javascript.
If you are lets say http://mywebsite.com/ and you are trying to access http://localhost/ you'll run into a wall, because web browsers are built to prevent you from interacting with the sub-domain or iframe bacause of Same-Origin-Policy.
https://en.wikipedia.org/wiki/Same-origin_policy
If you control http://localhost/ you can add the headers or permissions to allow Same-Origin-Policy to overrode. CORS for short. Not sure if it allows iframe access, i dont use iframe much anymore, i just use AJAX. Which for you i'd recommend looking into because it can handle ERROR PAGES exactly the way you want.
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
If you control both the HOST http://mywebsite.com/ & http://localhost/ you can put javascript on both pages & allow them to communicate with each other. But if you are getting error pages, it is unlikely you can control error page responses.
https://en.wikipedia.org/wiki/Web_Messaging

Detecting "Bad Request" or 404 in iframe

Is there a way to detect these website errors in iframes? I am working on a app that has a third party website that has to be embedded into an iframe (trust me I'm not happy about it.) and we have to be able to hide the iframe if these errors occur.
What is the most graceful way to handle this? I have tried a .error, but have had no success. Help would be appreciated so I can keep my brain intact and not have it explode everywhere.
No, it's not.
If iframe is coming from diferent source and doesn't allow access( X-Frame-Options ), you can't do anything about it.
read about it here same origin policy.
There are few things, however, you can do:
If those are singular clicks (people don't navigate further) you can just make request and check content and then actually open iframe.
You can add in app browser like Linkedin for example. Take a look at cordova in app that is really specific solution, different for each platform, but it removes need of iframe.

X-Frame ORIGINS in IFRAME

A while ago I created an application whereby clients connect to a server using WebRTC protocols.
The clients screen is made up of two halves. One half is linked to the server and receieves things like messages, and has the web page which has the WebRTC javascript in it. The other is an IFRAME. When the client connects to the server, the server sends the client a web address which is loaded in the IFRAME.
I know that some web pages cannot be loaded in an iframe, examples typically having password screens. Google forms does not appear to have this restriction, which is great.
So now imagine I launch a server and ask 20 people to connect to it. All 20 students connect to the server properly, I know because it comes up with all their details on my computer. Typically, from my testing, 15/20 will be fine. The other 5 will get a white screen. When I investigate in the console it is an XFRAMES ORIGIN problem, its saying the webpage being loaded will not allow itself to be loaded in an iframe. However everybody else (who are using the same browser [chrome], and some the same browser version) are fine.
Now I have one solution which works for some students, there is a setting in chrome which is called:
block third party cookies and site data
If this is enabled it doesn't work, if its not enabled it does work.
Now I have 4 students left who still just see a white screen whom I have no solution for. Chrome and Firefox both support the software but both produce the same issue.
The building setup is that students connect to the internet through a server. They must connect via this server as my nameserver is not local and indeed my website is not local either.
I dont think it is a coding issue as it only happens on a few select computers and everything else works just hunky dory. Thus I think it might be an issue with something else: firewall, security settings, config button etc. If anybody has any suggestions for what i can do to remedy this then I would be very grateful for your help.
I have tried to supply all info I believe to be relevant (hense the length) but anything I have missed please ask.
Thank you.
Alex
If the main site's URL is different than the iframe's URL, you'll get an xframes origin problem. This includes the protocol (http vs. https) and full domain (example.com vs www.example.com). In other words, if a user goes to example.com and the iframe uses www.example.com it could cause an xframes origin error. Or if they go to http://www.example.com and the iframe uses https://www.example.com you might get this error.
OK so for people who encounter this issue in the future I am going to create an update this post here. Basically it is for people who want an answer to the issue of iframes just displaying a whitepage.
With these three solutions I have eliminated all my issues, but as I come up with new ones I will post them here. Hopefully its useful to somebody :)
SOLUTION 1
If your iframe is aiming somewhere that requires the user to log in, it is unlikely to work. Password pages are rarely cross origin for obvious and good reasons. The solution is to ensure before they use your iframe page they log in fully to what they are doing, or provide an error message that gives them this information if it happens. See this post for details: Catch error if iframe src fails to load . Error :-"Refused to display 'http://www.google.co.in/' in a frame.."
Where I am we had dual login, so they sign into google and then into the organisation. Both these login areas will cause your page load to fail.
SOLUTION 2 (Chrome ONLY)
Some services react badly to QUIC mode, and some of my users have had issues due to this.
To fix:
1. chrome://flags
2. change QUIC mode to 'Disabled'
SOLUTION 3
If you are working via a proxy server that requires cookies, users may have issues if they have the 'Block third-party cookies and site data' button enabled. Disabling this had a positive effect on how well the iframes were working.
In chrome:
Settings
Search for cookies
Click 'content settings'

Same Origin Policy and Facebook

Now I know there are a lot of resources about same origin policy, but I just want a straight up answer for my specific query as I am really struggling to understand.
I am using Facebook plugins on my website, these create iframes that are only visible in the DOM when I use chromes inspect element etc.
Is there a way that I can access these iFrames properties/attributes at all, or is it a resounding "NO CHANCE!". I am spending far too much time on this and I just need to get a final verdict.
Thanks!
Javascript doesn't see the iframe content. Chrome inspector just loads 2 different websites in the same time, yours and the plugins one, so you can play with both of them.
Just curious, how would you like to change it?
In general, JavaScript cannot access iframe content from outside of the iframe, unless the page domain and the iframe domain share the same protocol and host and port. In your case, this could possibly be done using a proxy server to load the iframe content from your domain.
http://en.wikipedia.org/wiki/Same_origin_policy

HTML: iframe sandbox alternatives

Some websites has a script that will redirect it to the original site if you tried to put it on an iframe. So to solve this, we have add the property sandbox="allow-scripts" to the iframe tag. But this solution will not work on browser that doesn't support html5. How can we resolve this? Additionally, we still want to have the script activated on the inner pages.
Ask the owners/administrators of the site to give you an authenticated URL for the site that doesn't redirect.
If you're trying to do this without the permission of the owners/adminstrators, then please reconsider your design.
It sounds like the original post is mentioning a frame-busting script which is in place to keep the page contents from being framed, usually to combat click-jacking attacks.
If you have permission from the site you are trying to frame, aka you have a legitimate reason to be framing their site, you should work with the owners of that site to find a work around. One such method would be to have them replace their frame-busting script with an X-Frame-Options header that could list your domain as an allowed domain to frame the content.

Categories