I want a redirect to be triggered on a certain action but am running into issues with same origin policies.
Has anyone had any luck redirecting to external URLs (I can't use app.showPage)?
I've tried window.location.href but it's blocked because the iframe that the app is loaded into does not allow cross-origin requests.
At best I've gotten window.open to work but because of the cross-origin policy it opens in a new page even if the windowName parameter is set to window.name.
Related
I'm working on a tool that embeds an iframe of an external app. The authentication to this external app is via SAML and Keycloak. However when using the iframe, the SAML request to Keycloak does not work: "... has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource."
Scenario 1: Accessing the external app using the browser (normal way)
I get redirected to the Keycloak login page and after successful authentication, it redirects to the external app and everything works fine.
Scenario 2: Loading the external app using the iframe
The iframe is loaded and the Keycloak login page is shown. However, after entering the credentials, the triggered SAML request to Keycloak is blocked due to the CORS issue, see
Failed SAML request to Keycloak within the iframe.
Once I click on the failed URL (starting with "saml?SAMLRequest=...") and access it the normal way (browser), everything works fine.
I read on multiple sites, e.g. here Keycloak Access-Control-Allow-Origin, that you have to enter your webpage (in this case localhost:8080) to the Web Origin field within the Keycloak interface. This one only exists when choosing the openid-connect value in Client Protocol though. So, when switching from openid-connect to SAML, which I use, the Web Origin field disappears. I even tried to export the config file for that Keycloak client in order to manually enter the WebOrigin property, which did not work either.
How can I change the CORS policy for this iframe when using SAML (not openid-connect) since I don't have access to the Web Origin field?
Thanks in advance!
Keycloak doesn't allow to be loaded in the iframe by default.
Keycloak admin must allow that explicitly per realm in the Realm settings->Security Defenses->Headers->X-Frame-Options. Make sure you understand all security consequences before you allow Keycloak in the iframe. It's a security setting.
We have a website which provides referral options for healthcare provider via digital signature. We are upgrading our website security policy to not redirect to the third party website for esignature. instead of redirecting to the thirdparty website we are trying to embed the thirdparty website inside our website for esignature.
now the technical question:
we are using iFrame to embed the thirdparty website. we have the custom third party link for each signature which needs to load in this iFrame.
our website is on HTTPS and the third party site is also on HTTPS.
We are getting below error even though the third party URL used is on https
**The page at 'https://mywebsite.com/' was loaded over HTTPS, but requested an insecure resource 'http://MyThirdPartyIntegratedWebsite' This request has been blocked; the content must be served over HTTPS**
URL is formed for each user which is customized for his signature
$scope.detailFrame = 'https://MyThirdPartyIntegratedWebsite/userID=123'
Whiltelisted the third party website too.
$sceDelegateProvider.resourceUrlWhitelist([
// Allow same origin resource loads.
'self',
// Allow loading from our assets domain. Notice the difference between * and **.
'https://MyThirdPartyIntegratedWebsite/**'
]);
How to avoid iFrame from calling thirdparty website insecurely?
It was actually the internal redirects from the third party website which was causing the problem. We initiated a call with them to resolve this. Thank you sideshowba
I'm trying to inject the following iframe onto my https website:
Screenshot of code
Is it possible to use a http iframe on an https website?
This is the error I receive when I inject it currently:
The webpage at https://trk.slvrbck.net/aff_ad?campaign_id=191&aff_id=25171&format=iframe might be temporarily down or it may have moved permanently to a new web address.
Thanks!
you may include your http iframe in an https website. The https site will encrypt the http iframe once its data is being sent from client to server.
getting it to work is another deal on its own :
refer to this to get it to work
How to allow http content within an iframe on a https site
I have main page which opens via http. On this page I open iframe with same domain but via https and get error message:
Blocked a frame with origin "https://example.com" from accessing a
cross-origin frame
Is it possible?
If the main page (http) could access the iframe (https) it will be a security problem!
More informations this security feature: https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
Just move the main page to https, it will solve your problem and secure your visitors.
We're working on a web application which allows the user to do some design for mobile devices. The user simply enters some url and that url is previewed inside some iframe. The problem is, our application is running on https and if the user enters a non-https address it's not displayed by the browser for obvious reasons...
So can we use some reverse-proxy configuration to overcome this issue somehow? For example we'll set the iframe url as http://myserver.com/?url=http://externalserver.com and the reverse proxy will simply return the externalserver.com content back...
Is something like this possible?