Safari blocks iframe on the same top level domain - iframe

I have a website running on, lets say web.test.company.cloud, which has en iframe from another sub domain on the same top level domain: tasks.test.company.cloud. The iframe uses postMessage to tell the parent document about its height in pixles.
When I open this page in Safari there's a console error saying:
Blocked a frame with origin "https://tasks.test.company.cloud" from accessing a frame with origin "https://web.test.company.cloud". Protocols, domains, and ports must match
It seems that Safari is the only major browser that does this. I find this strange since both documents do share both protocol, domain, and port. While reading about this issue I haven't found any workarounds, so any help on this is appreciated.
Also, will I have the same error in production where parent is running on company.cloud while the iframe is on tasks.company.cloud?

Related

Why aren't network requests for iFrames showing in the Chrome developer tools under Selenium?

I have a use case where I need to retrieve the initiator from the Chrome Network tab. This works fine, except for the following case:
The iframe is HTTPS;
The enclosing page is HTTP;
The page was opened by Selenium
In this case, the network tab (and any extension on the debug protocol) show the fetch to the iframe content remains pending forever, and none of the child loads are emitted.
Changing the page URL to HTTPS, then the iframe is loaded and the child loads are displayed.
If I manually control the Selenium-opened browser and open a new tab, then it does not matter if the fetch is over HTTP or HTTPS. It really is only the tab that webdriver creates when it's loaded that seems to suffer this effect.
Is there some security protection at play, or is this just a weird bug?
This appears to be caused by Out-of-Process iFrame Isolation.
By passing --disable-features=IsolateOrigins,site-per-process to the Chrome process, then the iFrame network traces show up.

AMP HTML amp-ads - Blocked Frame, Protocols, domains, and ports must match

I'm attempting to resolve an error that is preventing me from showing google-adsense ads on an amp-html site that I built and am hosting on an nginx server. I have searched and read through quite a few similar questions on Stack Overflow, Google Adsense and Amp By Example documentations.
I placed an amp-ad, per Google's instructions. The page itself loads properly, but with for whitespace where the ad should be. In the console, I get this error (twice):
Blocked a frame with origin "https://d-1234567890.ampproject.net" from accessing a frame with origin "https://example.com". Protocols, domains, and ports must match.
I recently moved the Nameservers to a new server, which now supports https instead of http. The site appears to still be verified in Adsense, but is it trying to send the ads via the wrong protocol?
Protocols must match -- seems to be the case, as both sites are https.
Domains and ports must match -- ok, but how to verify these?
Beyond this, I'm not quite sure how to troubleshoot the issue, other than blindly turning off security measures. Should I be looking at my headers (X-Frame-Options, X-Content-Type-Options, etc.)? Or my Content-Security-Policy header? Or is Google Adsense still using the old http protocol?
FWIW, I am also getting these (related) warnings in the console:
[Warning] The resource https://3p.ampproject.net/234567890/f.js was preloaded using link preload but not used within a few seconds from the window's load event. Please make sure it wasn't preloaded for nothing.
[Warning] The resource https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js was preloaded using link preload but not used within a few seconds from the window's load event. Please make sure it wasn't preloaded for nothing.
Thank you in advance for your help.

URL won't load inside iFrame

I'm using myRealPage to create Mobile links for me. In the settings it creates links for various things like listings etc... I can embed all the links but one into an iFrame. All the others work perfectly fine but this one
http://listings.myrealpage.com/wps/recip/25064/m.form
It just sits there and tried to load. I do get one error saying this
Uncaught SecurityError: Blocked a frame with origin "http://listings.myrealpage.com" from accessing a frame with origin "MYSITE". Protocols, domains, and ports must match.
I'm not really understanding that because all the other links contain the same listings.myrealpage in them and work fine.
The code I have for the iFrame is this
<iframe src="LINK" name="frame2" scrolling="auto" frameborder="no" height="800px" width="100%">
</iframe>
That's the same too for all the others but replacing the src part with the other links.
Hopefully there's an answer for this.
Thanks
That error message is due to the same-origin-policy
Usually, this is sent in a HTTP header and causes the browser to deny a load of IFRAME content unless there's an exact match of port, protocol and domain.
E.g. port - usually 443 for SSL, or 80 if standard HTTP - protocol (http for parent page and iframe, or https for both) and domain (blah.domain.com and blah2.domain.com would be a non-match)
Either remove the restriction of the same-origin-policy (you may not be able to do this if you do not govern the server), or, satisfy it. Then, you'll be able to render that content within a frame.
You could use something like Fiddler to determine the erroneous url (It's free to download from Telerik) and where the request occurs.

PhoneGap + iFrame : Blocked a frame with origin

I'm trying to resolve a bug, but i can't.
My problem is :
In my phonegap application, i need to integrate an iframe (I can't give my url for safety reasons). My iframe is displayed but i have an error message.
The iframe try to setCookies on the device and read it. If i launch the iframe on safari directly or if i use InAppBrowser of Phonegap, i have no problem/error. But through phonegap "iframe", I get an error.
The log are :
Blocked a frame with origin "http:// URL_IFRAME:NUMBER_PORT" from accessing a frame with origin "file://". The requesting access has a protocol of "http", the frame being accessed has a protocol of "file". Protocols must match.
I hope to be fairly accurate.
Thks

non-secure items in Sharepoint 2007

When accessing our sharepoint site via HTTPS, users inside our network receive a prompt stating "Display nonsecure items?".
When accessing the site from outside our network via HTTPS, some images do not display at all. Some links do not function correctly as well.
We have found that this occurs when site administrators create images and/or link and display them using HTTP.
How can we seamlessly integrate HTTP and HTTPS so that we don't have to tell site administrators to use only HTTPS when creating images and links?
I have looked at our Alternate Access mappings, and here is the relevant info there:
http://computername Default http://computername
http://HostName Default http://HostName
http://subdomain.domain.com Intranet http://subdomain.domain.com
https://subdomain.domain.com Extranet https://subdomain.domain.com
http://computername:port Default http://computername:port
http://subdomain2.domain.com Default http://subdomain2.domain.com
http://computername:port2 Default http://computername:port2
...Some explanation:
ComputerName is the name of the server.
HostName is just a single hostname DNS entry we have so people can quickly type for example "Sharepoint" in their address bar.
Subdomain is basically sharepoint.ourdomain.com. pretty self explanitory
Subdomain2 is for our Business Intelligence services server.
We have two entries with port numbers. One goes to central admin. the other gives an error and i'm not sure what its used for (if anything).
I inherited support of this application. I hope things arent too messed up.
So TLDR: How can I get HTTP and HTTPS working seamlessly together inside/outside our network to avoid missing images and invalid links?
Thanks all.
The problem is that the urls in the links and image src are absolute rather than relative.
http://subdomain.domain.com/someimage.gif is always going to use http as its an absolute link.
/someimage.gif is a relative link (the leading / means relative from the hostname) so if this url is from a http site it will use http, from a https site will use https (well technically depends upon the document BASE but you can ignore that for your purposes)
E.g. given the relative URL /somepage/someimage.gif
When accessed from this page
Will mean this
http://example.com/somepage/
http://example.com/somepage/someimage.gif
httpS://example.com/somepage/
httpS://example.com/somepage/someimage.gif
http://NEWDOMAIN.com/somepage/
http://NEWDOMAIN.com/somepage/someimage.gif
and everything will work just fine with no warnings.
The built in CEWP puts all links in as Absolute. To fix -
MSDN - Fixing absolute URLs for all Alternate Access Mappings (AAM) of Content Editor Web Part with a Control Adapter

Resources