We included Google reCaptcha v3 in a custom login page that protects SharePoint. The solution works in all browsers except the embedded browser of Office applications. We receive the following error from Word if we try to login via the embedded browser after opening a document from SharePoint:
Your organization's policies are preventing us from completing this action for you. For more info, please contact your help desk.
reCaptcha uses an iframe to work. This iframe looks like this:
<iframe src="https://www.google.com/recaptcha/api2/anchor?ar=1&k=xxxxx;size=invisible&cb=xxxx" width="256" height="60" role="presentation" name="a-o41nkahmlajt" frameborder="0" scrolling="no" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox allow-storage-access-by-user-activation"></iframe>
I confirmed that iframes with a relative src URL work (e.g. "/otherpage/on/same/host.html").
From this source I know that Office does not allow the navigation to any non-https end point.
I confirmed this by changing production html like I described here.
We can't change settings on the end-user clients because they are guest users.
Does anyone know how to allow specific external addresses for iframes in Office application's embedded browser? Is there maybe an alternative on how to embedd reCaptcha?
Related
I am trying to embed an entire azure website into a wordpress site. The following works:
<iframe src="https://tvirusly.azurewebsites.net" height="1200" width="1600" title="Covid Risk Calculator"></iframe>
but when I click inside the above website or use the following script, it does NOT work:
<iframe src="https://tvirusly.azurewebsites.net/AnonymousEvents/Create" height="1200" width="1600" title="Covid Risk Calculator"></iframe>
I get the error that tvirusly.azurewebsites.net refused to connect.
Thank you in advance for your help.
This happens because the URL https://tvirusly.azurewebsites.net/AnonymousEvents/Create sends the X-Frame-Options: SAMEORIGIN header. It prevents the site to be included in an iFrame.
If you have access to the source code of tvirusly.azurewebsites.net, then you can see this solution: Windows Azure iframe domain provider = issue with X-Frame-Options.
You basically set X-FRAME-OPTIONS to an empty string.
If you can't change the source, then you're out of luck.
I am building an app which wraps some content in html. The users will be able to download this html file and view the content (which changes dynamically based on time and a few details fetched from our servers.
I would like to know if there is any settings on browsers that can block https:// requests from file:// urls?
It works by default, I am just concerned if there is any way users can do this. (browser settings, security zones or something like that)
I believe there is no code samples required for this.
There are windows group policy settings that can block browser downloads, but I'm not aware of browser specific settings. Here are a few links:
http://www.grouppolicy.biz/2010/03/group-policy-setting-of-the-week-18-allow-file-downlaod-internet-explorer/
https://serverfault.com/questions/362974/how-can-i-disable-download-from-all-browsers-using-group-policy-for-domain-users
https://superuser.com/questions/578276/can-i-block-all-file-downloads-in-chrome
I want to embed external content on a website in an iframe. I can only load internal websites and external are undefined.
How can I enable CORS in Intershop 7.7 and load an external URL in an iframe or data dialog?
There is nothing special in using iframes in Intershop compared to another platform. Simply put in your ISML:
<iframe src="https://example.com">
</iframe>
Of course this may not succeed to load as you noticed. Some servers include the X-Frame-Options header with value e.g. SAMEORIGIN which instructs the browser that they don't want to be framed on other sites. This may be used to prevent clickjacking attacks. You may use Firebug or any appropriate tool to monitor for such errors during the frame load. An iframe may also not load if you mix http/s traffic.
If you want to programatically access content from an iframe on a different domain, you may use the Web Messaging API (window.postMessage and the onmessage event) to communicate between the page and the included iframe.
In summary:
you can't simply frame any site (maybe your 'internal' site permits that);
this question is not relevant for the Intershop technology stack;
This should be possible with the content security policy support since version 7.6.
Please check the documentation of appserver.properties file. The keys intershop.response.content-security-policy. should help.
Well am trying to open a word document from office 365 inside my aspx page.
The url is included in an iframe,however the page keeps throwing an error message "This content cannot be displayed in a frame".
example code:
<iframe width="700" height="700" src='https://mysite.sharepoint.com/_layouts/15/WopiFrame.aspx?sourcedoc={13438738-FBFF-4F32-A680-4BF6D47F7682}&action=default'></iframe>
I have tried the following but with no luck:
Add <WebPartPages:AllowFraming runat="server" /> to SharePoint master page
Allow external iframes in HTML Field Security in office 365 site settings.
Add the office 365 SharePoint to trusted sites in internet explorer and enabling display mixed content
Add IHttpModule to my asp.net web application to adding headers for the X-Frame-Options HttpContext.Current.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
Deploying Ventigrate.Shared.PermissiveXFrameHeader feature on the office 365 SharePoint site
The thing is I have added
Ignore X-frame headers extension
to my google chrome and I was able to open the word document in google chrome only.
Also if I have change the action inside the url from default to interactivepreview the page will open in IE.
Nevertheless there is no extension for IE,but if there is a solution in google chrome that means there is a possibility to make it work for IE.
Any help would be highly appreciated.
Im working on a web-scraping project i know how to get certain data from target page through HtmlAgilityPack. But i dont know what to send in the Post information of that page. The page is not sending any information through querystring. There are three textboxes in that page, two checkboxes and a search button
when i inspect the button with firebug it gives following information
<img border="0" align="top" onclick="javascript:PVO_PId_Search(
document.ProtocolForm.searchplt,
document.ProtocolForm.towcheck.checked,
document.ProtocolForm.collateralcheck.checked,
document.ProtocolForm.selState[document.ProtocolForm.selState.selectedIndex].value,
document.ProtocolForm.selPltType[document.ProtocolForm.selPltType.selectedIndex].value)" onmouseout="this.className='flyOut'" onmouseover="this.className='flyOver'" alt="Search" value="PSearch" name="PSearch" onload="javascript:updateButtonWithOneTxtbox(document.ProtocolForm.searchplt,this,'v_images/Search_button.gif','v_images/Search_button_grey.gif');" src="v_images/Search_button.gif" class="flyOut">
Now my question is, Is there any tool or firefox addin available which i can use and monitor (or debug) what kind of Post information it is passing ?
You can use built-in Web Developer tools in Chrome and/or Safari, etc to inspect all http request/responses between your client (browser) and the (server) web site. You'll see it in the NETWORK inspector tools.
However, unless it's your site, or some worthy educational experiment, whether or not you can actually spoof (yes, that's what it really amounts to) a POST (or GET) to the site depends on whether or not it has some built in protections/validations that protect it from such attempts.
Update:
Just fire up Chrome and (on Windows) CTRL+SHIFT+I (Safari, its CTRL+ALT+I) and you should see the NETWORK INSPECTOR:
Update 2:
And just for reference, if you want network inspection that isn't dependent on a browser, Fiddler is always part of my personal tool kit.