When Microsoft Edge opens a page which contains an iframe in secure mode, it will also request the target page even if the schema of the iframe is HTTP.
This may cause user send some non-encrypted content even in secure mode. As I tested, this content even may contain cookies which leads to great risk.
I have created a project testing this issue at https://github.com/Anduin2017/EdgeProblem.
But I wondered if it was a problem Microsoft Edge itself or my mistake?
How to avoid this problem?
It seems that Microsoft has fixed this issue.
Related
I am working on adding a very old web application to a site. We have to display the web application in an iframe on the site. When using Internet Explorer 11, the web application will display in the iframe without an issue. It should be noted that this is an old web app
Chrome and Edge on the other hand will display an error in the developer console: Refused to display '{APPLICATION_URL}' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors {SERVER_NAME}".
One thing to note is that this will not always happen in Chrome and Edge. I'd say about 80% of the time I will receive the error, but 20% of the time the application will load fine in the iframe and have no issues. This makes me think that maybe the issue is specific to a group of servers on our farm, but am unable to prove that.
I have very limited visibility over our servers here, but I can get someone else get me more information if that is needed.
I found the solution for this. One thing to note: Internet Explorer does NOT support the Content-Security-Policy header. That is why this worked in IE 100% of the time. IE was unable to do anything with that header, so it just loaded the app like it thought it was supposed to.
I was able to work with some people who have access to the servers that the web application is hosted on. I found the problem was caused by an IIS setting for the default site that the applications on this one server belong to.
There are two servers that host the application, and a load balancer will direct you to a server depending on traffic. One of the servers added an HTTP header for the content security policy to all outbound traffic for the applications on the server. This explained why sometimes the app would load fine, and other times it would fail.
I've developed an website in Asp.net using VB. One of the requirements was for a qlikview to be displayed.
It's under a type of report hub, where I've got a list on the side of the page where the user can select a report and the rest of the page is an iframe. When the user selects a report, a javascript function is fired which sets the address of one of the reports into the iframe. The reports are all on their own page so I'm basically calling the page from the same domain and showing it in the iframe, no issue here. The problem comes when I've got to display the Qlikview which is hosted on another server.
This throws an error in the inspector but it still displays fine, it works like this on Chrome, Edge, Explorer and Firefox.
The issue comes with Safari, it blocks the authentication request because it is a cross-origin request.
I've tried the answer from this question. I've tried changing the domain name as listed here.
I've tried allowing cross origin access as listed here, but it didn't help.
I'm still very new to this, so i apologize if this is a simple solution.
Take a look here - Maybe this can help you
Using cors with all modern browsers
If it is working ok on Chrome and Firefox it is set ok on server. Qlikview officially support IE and Chrome. Safari have some issue with headers.
If you host your add-on (what is in iframe for Qlikview) on S3 for example for Safari you need to allow origin header, probably on different hostings something similar:
<AllowedHeader>origin</AllowedHeader>
Workaround is also that on Qlikview server it can use IIS for displaying Qlikview access point. If you want you can just go to IIS settings on Qlikview server and just set folder where you deploy your add-on pages so this way it can be configured that both will be served from the same domain (your add-on and qlikview access point). There is also Qlikview server configuration without IIS with Qlikview Web Server which will not allow to deploy another site.
I am implementing a bookmarking service (think Instapaper) using Firebase as a back end. Mostly it's working great, however I'm running into one major problem.
A core part of the service will be a bookmarklet that allows users to bookmark pages they are currently viewing in their browser (again, like Instapaper's: https://www.instapaper.com/save).
The first problem I encountered when implementing this was that even when a user is logged in on my firebaseapp.com page, that user was not showing up as authenticated when the javascript from the bookmarklet was fired. I figured out this was most likely due to cross-domain issues, so I next implemented an iframe-based solution. The idea being that the url of the iframe is hosted on my firebaseapp.com site, allowing the currently-logged-in user to show up as authenticated.
This works great in Chrome and Firefox but fails in Safari when the security setting for cookies and website data is set to "Allow from websites I visit" rather than "Always allow" (asking users to switch that setting to "Always allow" is not practical).
Is there any solution to this problem? Forcing users to log in every time the bookmarklet is clicked on a new domain would be highly inconvenient. I'm basically out of ideas at this point (and starting to get out of my depth on the web dev side of things).
Thank you so much for any help!
We have a Sitecore/Webforms based website that we'd like to run behind Akamai CDN however we're having an issue with ViewState MAC validation on our postbacks.
We've worked around this for most of the core forms on the site (by taking them out of the CDN cache and serving them direct for every user), but we're left with a simple form in the footer of every page that posts back to the server.
Currently we're seeing errors:
Validation of viewstate MAC failed.
I believe this is caused by the CDN caching the viewstate fields from the original request and these (obviously) not matching for other users.
As we are running this site on multiple servers, we already have the machinekey correctly configured (we've been able to use postBackUrl settings to post back to other pages/SSL instances/etc.) before we added Akamai.
As we're running Asp.NET 4.5.2 there's no way we can even attempt to disable viewstate MAC even if we thought it was a good idea.
Setting ViewStateMode=Disabled still leaves us with a tiny viewstate (presumably the MAC) which still causes problems.
Is there anyway we can remove the session dependence from the viewstate?
The basic steps we can use to replicate this:
Request page from Browser A - Akamai caches page.
Submit form from Browser A - Success!
Request page from Browser B - Akamai serves cached page.
Submit form from Browser B - ERROR!
Nope, Akamai CDN never caches POST requests. But its good idea to try adding the forms to do not cache list and try replicate the issue.
I work on a web application in ASP.NET and HTML5. I have a simple page Default.aspx. In its Page_Load handler I call 'Response.Redirect("xxx.aspx"). I also defined a manifest file, Default.appcache as I want my application to work offline (in such case I javascript methods are used for redirection). Browser cached the page as expected but a problem occured - even though server is online, browser uses the cached page. When user enters Default.aspx no call is sent to server. How can I prevent this behavior? I would like the browser to send a normal request to IIS if it is online and use cached page only when server doesn't respond.
I would be grateful for all suggestions.
You can't, pages in the cache are always served from the cache. The only way to update them is update the manifest and force new versions to be downloaded.
If you want one page to be served when online and a different one when offline then you should investigate the FALLBACK section of the manifest. Note that the page which references the manifest is always cached, so you need to set the fallback up on a different pair of pages.