I have a url that starts with https://accounts.google.com/o/oauth2/v2/auth...
I deleted the following parameters for security purposes.
when i try to open this url in iframe.
I am getting this error in console
Refused to display 'https://accounts.google.com/' in a frame because it set 'X-Frame-Options' to 'deny'.
and screenshot
my code
<iframe src="https://accounts.google.com/o/oauth2/v2/auth..." width="300" height="300"></iframe>
Is there a way to show google oauth2 site in app with iframe or other way?
Related
When i check console in Chrome DevTools i see the 404 error above. Pasted example below:
POST https://www.example.com/g/collect?v=2&tid=G-XXXXXX>m=2oe8b0&_p=424137054&sr=1366x768&ul=en-us&cid=1940949659.1614938183&_s=1&dl=https%3A%2F%2Fwww.example.com%2Fmovies%2F&dr=https%3A%2F%2Fwww.example.com%2Fcasts%2F&dt=Movies%20Free&sid=1628778501&sct=16&seg=1&en=page_view 404
I don't know where to start debugging, is this a google tag manager or google analytics error? Every time a page on website is viewed, this error is displayed in console. The route "/g/collect" doesn't exist on my application. How do i solve? Do i have to create the route on my application or change something in tag manager?
The path is from a tracking call to GA4 (recognizable by the /g/collect route and the v=2 parameter, which refers to measurement protocol version 2).
If that is actually your own domain in that request, then it is possible that somebody has changed the "transport_url" property in the GA4 configuration in the "Fields to set" section of the GA4 configuration tag.
Or somebody set the "Send to Server Container" option and added your domain, which is essentially a nicer UI for the same feature.
If you have not configured the route on your server, this will result in a 404. You would configure this only if you run a proxy for you GA4 calls or want to use server-side Google Tag Manager. If you do not want to do that, just remove the setting.
For client-side GA, the endpoint should be: https://analytics.google.com/g/collect
For example:
https://analytics.google.com/g/collectv=2&tid=G-XXXXXX>m=2oe8b0&_p=424137054&sr=1366x768&ul=en-us&cid=1940949659.1614938183&_s=1&dl=https%3A%2F%2Fwww.example.com%2Fmovies%2F&dr=https%3A%2F%2Fwww.example.com%2Fcasts%2F&dt=Movies%20Free&sid=1628778501&sct=16&seg=1&en=page_view
Are you sending to https://www.example.com/g/collect or was this used for demonstration purposes?
The only time that endpoint would be different for any GA property is if you're sending data to a Server-Side GTM container.
I am trying to set up Google login for my webapp with Flask-dance. The problem is with setting the 'Authorized redirect uri' in the Google Developer's console as https://moneycare.pythonanywhere.com/google/authorized. I get an error 'Invalid Redirect: must use a domain that is a valid top private domain'. This is happening only with PythonAnywhere domain. If switch the url with something like https://moneycare.herokuapp.com/google/authorized then the error does not appear.
Any idea why this is happening?
Thanks.
Lately a new error has popped up, which didn't exist before.
I have a Firebase project mapped to a custom domain.
The structure I'm using is as follows:
firebase-project.example.com is DNS-pointing to Firebase, that's the custom domain, it is tied to the Firebase project (Firebase Hosting).
But the structure I'm offering to the clients is as follows:
www.example.com/firebase-project which is hosted on my own server.
When I have Firebase generate the verification email, I present them a verification link in the email which contains this structure
https://www.example.com/firebase-project/auth/email?mode=verifyEmail&oobCode=SOME_AUTOGENERATED_CODE&apiKey=FIREBASE_API_KEY
The page rendered by https://www.example.com/firebase-project/auth/email contains an iframe, which loads the following URL
https://firebase-project.example.com/__/auth/action?mode=verifyEmail&oobCode=SOME_AUTOGENERATED_CODE&apiKey=FIREBASE_API_KEY
That should (and effectively used to!) verify the email on Firebase Hosting, and present the "ok, verified" message provided by Google inside the iframe, all neatly surrounded by the branded https://www.example.com/firebase-project/auth/email webpage.
But as of lately the iframe shows the following message:
Error encountered
The page is displayed in a cross origin iframe.
and I can't verify the email.
These cross-origin issues usually get fixed by adding the apropiate access-control-allow-origin headers. Where do I need to set the header, and to which value?
I have tried sending Access-Control-Allow-Origin: firebase-project.example.com and also Access-Control-Allow-Origin: * with the www.example.com/firebase-project/auth/email response, but that does not work.
Could a crossdomain.xml hosted somewhere help me with the issue?
If I inspect the page, and manually copy the iframe-url and paste it in the address bar, then the email will get verified.
No console messages (errors) are displayed at any time.
www.example.com as well as firebase-project.example.com are in the list of authorized domains for that project.
firebase-project.example.com ist using Firebase Hosting and
therefore has access to the /__/auth/action functionality. It is able to
verify the email address.
www.example.com is not hosted on Firebase / Google Cloud, and
therefore has no /__/auth/action functionality. It can't verify the email address without the help of firebase-project.example.com.
Sadly, the Firebase Admin SDK does not offer any support for letting the backend at www.example.com verify the email address for the given oobCode, which is why I was forced to use an iframe.
This is what the result should look like, instead of just a white page confirming the verification:
And the iframe is implemented as follows:
<iframe src="https://firebase-project.example.com/__/auth/action?mode={## mode ##}&oobCode={## oobCode ##}&apiKey={## apiKey ##}"></iframe>
The Firebase Console Email verification template looks like this
Else I see myself forced to create a redirect to firebase-project.example.com which results in this page (which actually seems to be predestined to be embedded in an iframe)
There is exactly zero security gain in preventing the embedding inside a page of an authorized domain.
Also, notice the message "You can now sign-in...". My approach shows the Sign-In link conveniently above the iframe. Without it, the user must now type "www.example.com/firebase-project" into the address bar. It makes so much more sense with an iframe; a more efficient and user-friendly approach.
I was going through AzureAD msal library for javascript. I tried to run the test app given in the same github link.
The app runs smoothly with facebook or microsoft account login. But when I try to login with twitter, it throws the following error:
Refused to display 'https://api.twitter.com/oauth/authenticate?oauth_token=....' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' https://tweetdeck.twitter.com https://tdapi-staging.smf1.twitter.com https://tdapi-staging.atla.twitter.com https://tweetdeck.localhost.twitter.com".
Also, the example works well when I have a single google account logged-in in my browser or when I enter google credential on the google login page. But when I have multiple google accounts logged-in and choose one of them for the app, it throws the following error:
Refused to display 'https://accounts.google.com/o/oauth2/auth?.....' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
In both the cases (twitter and multiple google accounts), the login happens, id token is generated but it fails to get access_token using acquireTokenSilent() and throws the above mentioned error. Then because of the acquireTokenpopup(), the login popup window shows again and when I enter my same credentials again, I get the access_token.
I have tried using loginRedirect() & acquireTokenRedirect() instead of popup but I have seen the same behavior.
What I have understood so far:
In the error cases, iframe is trying to add the google/twitter link into iframe src in the app home page (which is obviously not allowed).
In case of successful acquiring of access_token, I saw the iframe src has a microsoft login link (https://login.microsoftonline.com ...).
Can somebody help me understand why is it happening? And if someone has got a way to solve this, please help me out.
I haven't changed anything in the code, I just wanted to understand how msal.js works so that I can implement it in another project.
Good day!
I've been googling for a long time, but still no success.
Problem:
Let's supose we have a google document, which have embeded into some site with iframe, following google docs guide. User have one tab in which he is authorized with it's account in google. He visites our site and see document. He can access it, edit it, and whatever he whants.
Now, he desides to change his auth in google, he logs out and than logs in with different account. He DOESN'T reload our site (because it is ajax based), and now he tries access our document. And here comes a fail. He sees a blank page. in chrome js console there is an error:
Refused to display https://**docs**.google.com/SamplePDFURL in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN.
In iframe src = "docs.google.com" .
What happens? When user changed authorization, it's cookies have been changed and he became not authed for this doc and google automaticaly redirects frame to account.google.com auth page. BUT! This auth page is on different domain ACCOUNT. , and since google follows "same origin" security policy, we get error in console and blank iframe for user.
How to work around this?
Please help somebody.
As I said, I didn't find any working solution for this.a