When I put into html file this code, it does not show website.
<iframe src="https://www.ge-tracker.com/names/claws">
Can somebody help?
It is because your target site to put into the iframe does not allow itself to be loaded into an iframe that is hosted on a a different domain. It uses the X-Frame-Options http header to advise this to any browser that requests it.
You can examine this by looking at the error console in your chosen browser.
For instance, using Chrome, you will see:
Refused to display 'https://www.ge-tracker.com/names/claws' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN, SAMEORIGIN'.
Related
I have an iFrame which I only wanted to be embeddable on a specific website. For this I found the the following code
Header set Content-Security-Policy: "frame-ancestors https://..."
I put this code into my .htaccess file and it worked perfectly when testing it on my laptop. But when I access the specific URL where the iFrame should be allowed to be embedded with my smartphone (Android + iOS), it's blocked. I searched some time on Google but couldn't find a hint or way to change this.
Hope you can help me out on this.
Edit:
I searched through the net and tested a lot of stuff but nothing works. My .htaccess looks like this:
Header set Content-Security-Policy: "frame-ancestors domain1 domain2/embed.php?id=1;"
domain2/embed.php?id=1 includes the videosource which I want to embed on another website. When calling this domain the video is ready to go in my browser. When I check the console on MAC (this seems to be a Safari problem) I get the following error message:
The source list for Content Security Policy directive 'frame-ancestors' contains a source with invalid path: '/embed.php?id=1'. The query component, including the "?" will be ignored.
Refused to load domain2/embed.php?id=1 because it does not appear in the frame-ancestors directive of the Content Security Policy.
When inserting https://domain2 or domain2 in the frame-ancestors line nothing changes, the video is still not available in Safari. I read that I have to insert the link in the error message to the frame-ancestors but then the ? will be ignored and the video can't be displayed.
There must be someone who has a suggestion to this problem or?
I am trying to embed an entire azure website into a wordpress site. The following works:
<iframe src="https://tvirusly.azurewebsites.net" height="1200" width="1600" title="Covid Risk Calculator"></iframe>
but when I click inside the above website or use the following script, it does NOT work:
<iframe src="https://tvirusly.azurewebsites.net/AnonymousEvents/Create" height="1200" width="1600" title="Covid Risk Calculator"></iframe>
I get the error that tvirusly.azurewebsites.net refused to connect.
Thank you in advance for your help.
This happens because the URL https://tvirusly.azurewebsites.net/AnonymousEvents/Create sends the X-Frame-Options: SAMEORIGIN header. It prevents the site to be included in an iFrame.
If you have access to the source code of tvirusly.azurewebsites.net, then you can see this solution: Windows Azure iframe domain provider = issue with X-Frame-Options.
You basically set X-FRAME-OPTIONS to an empty string.
If you can't change the source, then you're out of luck.
I'm working on a web app that contains iframes whose sources are from different domains. I want to be able to detect whether or not a website will load successfully in an iframe.
I've tried a bunch of solutions I've found here, none of which seem to work. I've tried setting a timer and then checking the content of the iframe (which won't work because of the same-origin policy). I've tried performing a GET request to the source of the iframe, but a lot of domains won't let you do this even if the iframe loads up.
From my understanding, whether or not it loads is determined by the X-Frame-Options, but I don't think I have access to that either because I cannot get the HTTP response headers.
Is this just impossible? Any help would be appreciated.
How can we use github pages embedded in an iframe correctly?
I've hosted a website in firebase and it is using a custom domain over https, for example, https://www.example.com.
This website uses react and other things, but for one route (the landing page one) I would like to use a static page hosted on github, for example https://example.github.io/page. So, to achieve this I've created an iframe inside the route https://www.example.com/page.
The problem is I've been receiving the following error:
Mixed Content: The page at 'https://www.example.com/page' was loaded
over HTTPS, but requested an insecure resource
'http://example.github.io/page/'. This request has been blocked; the
content must be served over HTTPS.
The strange thing is the iframe looks correctly:
<iframe title="Page" src="https://example.github.io/page">unwanted text</iframe>
It is already using https, but looks like this is being ignored.
I already tried to use this meta <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">, close the iframe with </iframe> and add an unwanted text inside the iframe.
Can we solve this?
If you carefully examine your HTML code and the error message, you'll notice a slight difference in URLs besides the protocol part:
https://example.github.io/page - in the iframe src tag
http://example.github.io/page/ - in the error message
The reason could be that the URL https://example.github.io/page returns a redirect to the "canonical" version with the trailing slash (/page/), but a redirect URL must be a full URL, and the server for some reason isn't including the actual protocol in the redirect URL, always using http:// instead. That could be due to configuration or coding at the server side (see also github issue #289).
As a workaround, use a URL that doesn't trigger the canonicalization redirect, i.e. https://example.github.io/page/.
We have a web page containing an iframe containing a page sharing an authentification cookie with it's parent page. For example the iframe page is on the domain foo.domain.com and the page containing the iframe is on foo2.domain.com. Both share a cookie from domain.com. Authentification works great, but the problem is with ASP.NET in IE7, we always get a javascript error:
Access is denied.
ScriptResource.axd
We are using ASP.NET 3.5, we use Ajax Control Toolkit also (latest version 3.0.30930.0). The problem doesn't occur for IE8. No problem in Firefox and Chrome also.
Anyone encountered this problem before?
If there's a DNS redirection IE7 can have issues, e.g. if http://site.domain.com is really http://www.domain.com/site, the transparent DNS redirect has issues in IE7, but not the other browsers you mention. IE7 treats this as a cross-domain script and blocks...you just get Access Denied.
Is this the case, or something similar with redirects or different domains? If you can test the main page as just domain.com/ do you get the error? IE7 treats a child differently than a sibling.
In JavaScript you might need to change the document domain. It's possible IE7 is looking at the domains all the way to the server level: foo.domain.com != foo2.domain.com. IE8, et al, are likely taking the document domain at face value of *.domain.com.
Here's a quick related blog article on it: http://jszen.blogspot.com/2005/03/cross-domain-security-woes.html.
To copy the code though, adding the following to both pages should get it rolling again.
<script type="text/javascript">
document.domain="example.com";
</script>