I need to use couple of iframe for a page hosted with firebase, but its giving me X-Frame-Options error, one of the iframe is for gallery hosted on picasa, and anohter ifrmae for contact form(because i couldnt sent email via firebase :()
here is error
Refused to display 'https://get.google.com/albumarchive/pwa/11111/album/1111?source=pwa#slideshow/1111' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
jquery.min.js:2 Uncaught DOMException: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Blocked a frame with origin "https://demodomain.com" from accessing a cross-origin frame.
i did this with firebase.json but didnt worked
"headers": [
{
"source": "**/*",
"headers": [
{"key": "X-Content-Type-Options", "value": "nosniff"},
{"key": "X-Frame-Options", "value": "ALLOW"},
{"key": "X-UA-Compatible", "value": "ie=edge"},
{"key": "X-XSS-Protection", "value": "1; mode=block"}
]
}
]
you have the right idea you're just setting the wrong value. ALLOW is not an acceptable value for the X-Frame-Options header. You can set the ALLOW-FROM value and then specify which uri you want to allow to be able to embed. Check out some more documentation below.
FIX:
"headers": [{
"source": "**/*",
"headers": [
{"key": "X-Content-Type-Options", "value": "nosniff"},
{"key": "X-Frame-Options", "value": "ALLOW-FROM https://get.google.com"},
{"key": "X-UA-Compatible", "value": "ie=edge"},
{"key": "X-XSS-Protection", "value": "1; mode=block"}
]
}]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Related
I am using ocelot gateway.
Here is the example configuration
{
"DownstreamPathTemplate": "/ipgeo?apiKey={key}&ip={ip}",
"DownstreamScheme": "http",
"DownstreamHostAndPorts": [
{
"Host": "api.ipgeolocation.io",
"Port": 80
}
],
"UpstreamHttpMethod": ["GET"],
"UpstreamPathTemplate": "/GLI/secondary?apiKey={key}&ip={ip}"
}
As you can see, there are two query params. When I send a request using postman:
http://localhost:5000/GLI/secondary?apiKey=aaa&ip=8.8.8.8
OCELOT get duplicate query params and generate a downstream url like this:
http://api.ipgeolocation.io/ipgeo?apiKey=aaa&ip=8.8.8.8&apiKey=aaa&ip=8.8.8.8
Console screen:
info: Ocelot.Requester.Middleware.HttpRequesterMiddleware[0]
requestId: 0HMFNFVDSDQH9:0000000A, previousRequestId: no previous request id, message: 301 (Moved Permanently) status code, request uri: http://api.ipgeolocation.io/ipgeo?apiKey=aaa&ip=8.8.8.8&apiKey=aaa&ip=8.8.8.8
How can I change this?
Same problem,
For me works use this syntax, basically I have removed the "?" symbol in the UpstreamPathTemplate:
"DownstreamPathTemplate": "/GLI/secondary?{everything}"
"UpstreamPathTemplate": "/GLI/secondary{everything}"
You can use
"DownstreamPathTemplate": "/ipgeo?{everything}"
"UpstreamPathTemplate": "/GLI/secondary?{everything}"
OR
"UpstreamPathTemplate": "/GLI/secondary/{everything}"
I have a SPA with the following setup:
Frontend: React deployed using Firebase Hosting
Backend: GraphQL API written in Django deployed on Cloud Run
Everything works locally but when I deploy the app and try to make requests, I get a CORS error due to preflight missing allow origin header:
Access to fetch at 'https://cloud-run-api-hash.a.run.app/graphql/' from origin 'https://project-id.web.app' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
Using django-cors-headers, I have already added the Firebase domain to the CORS_ORIGIN_WHITELIST in my Django settings.
My firebase.json looks like this:
{
"hosting": {
"public": "build",
"ignore": [
"firebase.json",
"**/.*",
"**/node_modules/**"
],
"rewrites": [
{
"source": "/authenticated/**",
"run": {
"serviceId": "cloud-run-serviceID",
"region": "us-central1"
}
},
{
"source": "**",
"destination": "/index.html"
}
],
"headers": [ {
"source": "**/*.#(eot|otf|ttf|ttc|woff|font.css)",
"headers": [ {
"key": "Access-Control-Allow-Origin",
"value": "*"
} ]
} ]
}
}
My intention is to trigger the cloud run container after the user is authenticated and is routed to https://project-id.web.app/authenticated, but I'm not seeing any Cloud Run logs after I login to the app. Furthermore, when I try to send any HTTP requests I get the CORS error shown above. Not sure where went wrong here because I strictly followed the Cloud Run/Firebase Hosting documentation. Any advice is greatly appreciated.
It turns out that the problem was with django-cors-headers. I put the allowed domains in CORS_ALLOWED_ORIGINS instead of CORS_ORIGIN_WHITELIST and it worked. According to the documentation, this setting was renamed. I still unsure why CORS_ORIGIN_WHITELIST doesn't work on Cloud Run though... it should work as an alias.
Does anybody know how to remove everything after the ? in a url within firebase?
I've tried just the redirect, then the rewrite on top of this.
"redirects": [
{ "type": 302, "source": "/testMenuBrowse.php?cat=36", "destination": "/" }
],
"rewrites": [
{ "type": 302, "source": "/testMenuBrowse{,/**}", "destination": "/" }
],
Whatever I do the end URL is http://www.example.com/?cat=36
It's not currently possible to strip query parameters when redirecting using Firebase Hosting. You might want to file a feature request for the functionality.
I am trying to use lets encrypt with docker in order to put my website in https.
I use docker with nginx proxy and nginx companion. I have set up everything correctly regarding documentation. My containers are running.
Now, i have an issue with lets encrypt here is the debug file provided :
{
"identifier": {
"type": "dns",
"value": "jack-world.com"
},
"status": "invalid",
"expires": "2017-12-20T18:42:39Z",
"challenges": [
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/G_0PYv_VpnEEUbV1PUjpJZyOIeP6b0zPxXeAlyYXclE/2728472678",
"token": "fXuUQ77koLDDTuAqEgeqQA1q_DHinF2wanQReSrgIdk"
},
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/G_0PYv_VpnEEUbV1PUjpJZyOIeP6b0zPxXeAlyYXclE/2728472680",
"token": "iab5h37N-Io6lzfi8-DKmccXsF8_Y5Ws_RYCcwzREBw"
},
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:unauthorized",
"detail": "The key authorization file from the server did not match this challenge [fnFwM8VZXXjIkSOci-z5_w4W2mN8oOIXA_d74gScLo0.K6eBCVMCFTPDy-GGls8jpd0O75tW9kFA9tsX7dEU_Zw] != [fnFwM8VZXXjIkSOci-z5_w4W2mN8oOIXA_d74gScLo0.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8]",
"status": 403
},
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/G_0PYv_VpnEEUbV1PUjpJZyOIeP6b0zPxXeAlyYXclE/2728472682",
"token": "fnFwM8VZXXjIkSOci-z5_w4W2mN8oOIXA_d74gScLo0",
"keyAuthorization": "fnFwM8VZXXjIkSOci-z5_w4W2mN8oOIXA_d74gScLo0.K6eBCVMCFTPDy-GGls8jpd0O75tW9kFA9tsX7dEU_Zw",
"validationRecord": [
{
"url": "http://jack-world.com/.well-known/acme-challenge/fnFwM8VZXXjIkSOci-z5_w4W2mN8oOIXA_d74gScLo0",
"hostname": "jack-world.com",
"port": "80",
"addressesResolved": [
"149.202.73.189",
"2001:41d0:301::21"
],
"addressUsed": "2001:41d0:301::21",
"addressesTried": []
}
]
}
],
"combinations": [
[
0
],
[
1
],
[
2
]
]
}
Here is logs from companion :
argos#jackworld:~/JackProxy$ sudo docker exec jackproxy_nginx-proxy-companion_1 /app/force_renew -v --help
/etc/nginx/certs/jack-world.com /app
Creating/renewal jack-world.com certificates... (jack-world.com)
2017-12-13 19:03:34,715:INFO:simp_le:1538: Retrieving Let's Encrypt latest Terms of Service.
2017-12-13 19:03:36,629:INFO:simp_le:1455: Generating new certificate private key
2017-12-13 19:03:37,221:ERROR:simp_le:1421: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If you haven't setup correct CAA fields or if your DNS provider does not support CAA, validation attempts after september 8, 2017 will fail. Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/Xw790v5P8mgdjsh-A-_wvwcmAFRIu-6UxlT2l5I7JB8
Challenge validation has failed, see error log.
Debugging tips: -v improves output verbosity. Help is available under --help.
/app
I need some help to figure out why http-01 is invalid, and if this is the only issue.
Thanks by advance
I set my CORS header for Firebase Storage with the following cors.json and gsutil
[
{
"origin": ["*"],
"method": ["GET", "OPTIONS"],
"responseHeader": ["Range", "Content-Type"],
"maxAgeSeconds": 3600
}
]
But I still get this error:
MLHttpRequest cannot load http://url_to.csv. Request header field
Range is not allowed by Access-Control-Allow-Headers in preflight
response.
I also tried replacing Range with Content-Range but it didn't have any effect.