I'm trying to use addthis on my page. When using Chrome, I receive a JavaScript security error.
Unsafe JavaScript attempt to access frame with URL <AddThis url> from frame with URL <local url>. Domains, protocols and ports must match.
The only frame I've got in this page is an AddThis-generated one, with the title "AddThis utility frame".
Is there any way to get over this?
I've seen this in addthis's implementation of nucaptcha for their version 250. Try upgrading to their 300 version, they went back to recaptcha.
Related
I am developing a web page that needs to display, in an iframe, a report served by another company's SharePoint server. They are fine with this.
The page we're trying to render in the iframe is giving us X-Frame-Options: SAMEORIGIN which causes the browser (at least IE8) to refuse to render the content in a frame.
First, is this something they can control or is it something SharePoint just does by default? If I ask them to turn this off, could they even do it?
Second, can I do something to tell the browser to ignore this http header and just render the frame?
If the 2nd company is happy for you to access their content in an IFrame then they need to take the restriction off - they can do this fairly easily in the IIS config.
There's nothing you can do to circumvent it and anything that does work should get patched quickly in a security hotfix. You can't tell the browser to just render the frame if the source content header says not allowed in frames. That would make it easier for session hijacking.
If the content is GET only you don't post data back then you could get the page server side and proxy the content without the header, but then any post back should get invalidated.
UPDATE: 2019-12-30
It seem that this tool is no longer working! [Request for update!]
UPDATE 2019-01-06: You can bypass X-Frame-Options in an <iframe> using my X-Frame-Bypass Web Component. It extends the IFrame element by using multiple CORS proxies and it was tested in the latest Firefox and Chrome.
You can use it as follows:
(Optional) Include the Custom Elements with Built-in Extends polyfill for Safari:
<script src="https://unpkg.com/#ungap/custom-elements-builtin"></script>
Include the X-Frame-Bypass JS module:
<script type="module" src="x-frame-bypass.js"></script>
Insert the X-Frame-Bypass Custom Element:
<iframe is="x-frame-bypass" src="https://example.org/"></iframe>
The X-Frame-Options header is a security feature enforced at the browser level.
If you have control over your user base (IT dept for corp app), you could try something like a greasemonkey script (if you can a) deploy greasemonkey across everyone and b) deploy your script in a shared way)...
Alternatively, you can proxy their result. Create an endpoint on your server, and have that endpoint open a connection to the target endpoint, and simply funnel traffic backwards.
Yes Fiddler is an option for me:
Open Fiddler menu > Rules > Customize Rules (this effectively edits CustomRules.js).
Find the function OnBeforeResponse
Add the following lines:
oSession.oResponse.headers.Remove("X-Frame-Options");
oSession.oResponse.headers.Add("Access-Control-Allow-Origin", "*");
Remember to save the script!
As for second question - you can use Fiddler filters to set response X-Frame-Options header manually to something like ALLOW-FROM *. But, of course, this trick will work only for you - other users still won't be able to see iframe content(if they not do the same).
We have a project that use standard Facebook API used mainly for login and registration purpose.
Since we use Sentry to receive error notification, the following one (in home page) occurs often:
SecurityError: Blocked a frame with origin "https://www.mywebsite.com" from accessing a
frame with origin "https://www.facebook.com". The frame being
accessed set "document.domain" to "facebook.com", but the frame requesting access did not.
Both must set "document.domain" to the same value to allow access.
at hasPasswordField_ (/en:1:368)
at hasPasswordField_ (/en:1:499)
at findPasswordForms (/en:1:173)
at global code (/en:10:27)
It's strange because the methods
hasPasswordField_ / findPasswordForms
don't exist on the project code.
Because the error currently occurs only on
iOS Chrome Mobile, version: 59.0.3071 | 60.0.3112
There is a Chrome internal component that is trying to access to the Facebook iFrame or is Facebook searching for some password fields on the webpage?
UPDATE:
After a further search, I found this post on Sentry GIT page:
https://github.com/getsentry/sentry/issues/5267
they suggest simply to ignore the error.
Any idea how to face it differently?
Any help will be appreciated!
It says here that the bug has been fixed in version 61. https://crbug.com/709132
I have one page say display.aspx that is being used in other sites in Iframe. In display.aspx page, I have one button which opens Facebook popup for sharing. After successful share it gives me response in one page in my site say FBResponse.aspx. From FBResponse.aspx,I want to reload the display.aspx page.
I have tried 1) window.opener.history.go(0);
2) window.opener.location.reload(false);
3) opener.location.reload(false);
But none of these working for me.
Moreover, I have made one function in display.aspx page, in that function I have written code to reload the page. I tried to call this function from FBResponse.aspx ,but in Chrome I am getting error The frame requesting access has a protocol of 'https', the frame being accessed has a protocol of 'http'. Protocols must match and in FF I am getting error Permission denied to access property in IFRAME. Actually my site is working on https where as the sites which are using my page display.aspx might be using http protocol.
Any solution?
Thanks,
Priya
Hey Try This one.
<form onsubmit="window.top.location.href = 'http://www.wesite.com/test.html';">
Be attention iframe and top must be on same domain and don't break same origin policy.
Hope it would helps you.
You can't unless both page and iframe have same domain (and in this case you can make protocols to match). Same origin policy can be a biatch.
I have this error while running a html file in Chrome:
iframe Unsafe JavaScript attempt to access frame with URL http://my_server.com/param from frame with URL http://another_server/example.html. Domains, protocols and ports must match.
Is there a way so I can run the Javascript in different server?
You need to change the hash not the url itself. There are many similar questions in stackoverflow regarding this issue. You can try check this out.
im using an iframe from the fancybox plugin. I can close the iframe in every browser excpect google chrome with the javascript order:
parent.$.fancybox.close();
or:
parent.jQuery.fancybox.close();
just google chrome refuses to do his job in this case.
The error message of the console is:
Unsafe JavaScript attempt to access frame with URL file:///C:/Users/exampleuser/Desktop/index.html from frame with URL file:///C:/Users/exampleuser/Desktop/Version42/index.html#. Domains, protocols and ports must match.
pidgin.js:357Uncaught TypeError: Cannot read property 'fancybox' of undefined
My frame is local at the moment if that matters.
Try using parent.postMessage() (described here) and listen in on window.onmessage at the parent to invoke $.fancybox.close().
Nothing wrong with your code but Google Chrome won't let you work with ajax or iframes (and fancybox) locally. You need to upload your files to a server to make it work.