Issue: We get CSP (Content Security Policy) error with our Visualforce page integration.
The issue is that when we access this in sandbox testing, we find that our content is wrapped in an iframe, and that iframe also contains an iframe.
The outer iframe does not seem to have a URL, and so we cannot exclude it from our CSP whitelist.
apex putting the iframe dynamically inside another iframe that is not having any src, that is why we are not able to whitelist the domain that can open our site into iframe.
This is the sample parent iframe.
<iframe allow="geolocation *; microphone *; camera *" frameborder="no" height="1000px" id="0661b0000004nmw" marginheight="0" marginwidth="0" name="0661b0000004nmw" scrolling="yes" title="HelloWorld" width="100%">
<iframe src="https://example.com"> </iframe>
</iframe>
Error log from developer console of browser.
[Report Only] Refused to display 'https://example.com' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' *.salesforce.com".
Please let me know if there is a way to resolve the content security error in this case!
Related
I have a MS-WOPI client in Sharepoint that correctly accepts URL requests to open Word documents like:
https://myCompany.sharepoint.com/:w:/r/teams/Test-EZ-CO-LON/Test-CO-L1227/_layouts/15/WopiFrame.aspx?sourcedoc=%7BCDE12345-ABC1-4A5F-9097-008E876E4E66%7D&action=interactivepreview
That works fairly good either by opening the URL directly in a browser, or setting it as the source in an iframe like this:
<iframe _ngcontent-ryg-c10="" frameborder="0" height="750" width="100%" src="https://myCompany.sharepoint.com/:w:/r/teams/Test-EZ-CO-LON/Test-CO-L1227/_layouts/15/WopiFrame.aspx?sourcedoc=%7BCDE12345-ABC1-4A5F-9097-008E876E4E66%7D&action=interactivepreview"></iframe>
So, that URL works perfectly fine for both direct opening and using it in an iframe.
The problem is, that if change the WOPI action value from "interactivepreview" to an edition action value like "edit", for example, like this:
https://myCompany.sharepoint.com/:w:/r/teams/Test-EZ-CO-LON/Test-CO-L1227/_layouts/15/WopiFrame.aspx?sourcedoc=%7BCDE12345-ABC1-4A5F-9097-008E876E4E66%7D&action=edit
the URL can still be opened correctly when opened directly in the Web browser, but if this new URL is used in an iframe like this:
<iframe _ngcontent-ryg-c10="" frameborder="0" height="750" width="100%" src="https://myCompany.sharepoint.com/:w:/r/teams/Test-EZ-CO-LON/Test-CO-L1227/_layouts/15/WopiFrame.aspx?sourcedoc=%7BCDE12345-ABC1-4A5F-9097-008E876E4E66%7D&action=edit"></iframe>
Then Sharepoint refuses to frame, sending this content security policy error message:
Refused to frame 'https://myCompany.sharepoint.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com *.powerapps.com *.yammer.com *.officeapps.live.com *.office.com *.stream.azure-test.net *.microsoftstream.com".
So, in summary:
For non-editable WOPI actions (e.g. "interactivepreview") the URL works well for all scenarios (both within an iframe and non-iframe).
For editable WOPI actions (e.g. "edit"), the URL works well only if consumed directly (non-iframe).
For editable WOPI actions, the URL does not work when used in an iframe because the aforementioned error.
Is this a WOPI misconfiguration, a Sharepoint misconfiguration, a client (browser) request misconfiguration, or something else?
I put video in iframe on my site, and not work, I have error
Failed to load https://googleads.g.doubleclick.net/pagead/id: Redirect from 'https://googleads.g.doubleclick.net/pagead/id' to 'about:blank' has been blocked by CORS policy: Redirect location 'about:blank' has a disallowed scheme for cross-origin requests.
My youtube code:
<div class="embed-responsive embed-responsive-16by9"><iframe src="https://www.youtube.com/embed/HiixPZ0xkk0" frameborder="0" style="height: 0px;"></iframe></div>
Any idea?
EDIT:
Full errors
You can download the video and use that as your source too.
Ok I find solution here: http://centrumps.pl/iframe-problem-w-prestashop-1-7-z-youtube/
must remove www from address
I am trying to insert pdf into blogger using iframe.But I am getting blank page
Any idea How to fix it. I was getting blank page with chrome and firefox. I was getting error "This publisher does not allow to publish" in internet explorer
> <iframe width="100%" frameborder="0"
> src="https://drive.google.com/file/d/0B15mEFBok9BVUExXV2lRTDNsYjQ/view?usp=sharing"></iframe>
It seems like Google Drive has the HTTP header X-Frame-Options set to SAMEORIGIN. That means that it can only be embedded within the same domain (drive.google.com). You can read more about it here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
You should be able to see the error by opening your browser's console:
Refused to display 'https://drive.google.com/file/u/2/d/0B15mEFBok9BVUExXV2lRTDNsYjQ/view?usp=sharing' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.`
My recommendation is to host it somewhere else (e.g. Amazon S3), where you have control over the HTTP headers.
I have a iframe in asp.net page.
The page is secured page (ie., https://www.abcd.com)
I have a button in this page. Onclick of this button we have to display an iframe, inthat iframe display a video from an http:// url (it is actually an another url in internet).
Currently we have tried with the url : http://xyx.com/v.aspx?4343
<iframe width="320" scrolling="no" height="240" frameborder="0" framespacing="0" marginwidth="0" marginheight="0" border="0" allowtransparency="true" style="BACKGROUND-COLOR: transparent;" src="http://xyx.com/v.aspx?4343">
This is giving an error :
Blocked loading mixed active content - http://xyx.com/v.aspx?4343
Can somebody advise how can I load this url in my secured page?
Have tried with the url //xyx.com/v.aspx?4343, however we are getting resource not found 404 error.
please advise..
In short, you cannot serve a cross origin insecure iframe when you're hosting a SSL encrypted application. In order to serve iframe content, both the host application and remote applications will have to use SSL encryption or both the host and remote applications will have to use un-encrypted requests.
You can find a more detailed answer at Stack Overflow Question 9280665
I have a simple question, but can't find the answer that I'm looking for.
Is a http iframe that's loaded on a secure https page also secured?
A iframe with http source will not be displayed on a https website as it's considered mixed content and browsers like Chrome will block the content with the following message:
Mixed Content: The page at 'your website' was loaded over HTTPS,
but requested an insecure resource 'iframe http source '. This
request has been blocked; the content must be served over HTTPS.
So far I have not seen a solution to allow mixed content.
There has been a solution for Firefox which is based on redirecting the iframe source via another website that is hosted on the HTTPS Domain.
It is not automatically, you should verify if the src of your iframe is connecting via https or not:
<iframe src="http://www.example.com"></iframe>
your iframe doesn't extend the https access from principal page.