I'm trying to embed spotify album on wordpress based website. It is working well on backend while editing page and for new articles but not at home page: http://goo.gl/984skV
Web dev tools shows this error:
Uncaught SecurityError: Failed to read the 'contentDocument' property
from 'HTMLIFrameElement': Blocked a frame with origin
"http://www.******.com" from accessing a frame with origin
"https://embed.spotify.com". The frame requesting access has a
protocol of "http", the frame being accessed has a protocol of
"https". Protocols must match.
Any tips?
Related
I'm developing an iframeable component and have now stumbled over something that looks like a security problem.
I have two web sites:
site A, running at http://localhost:3002
site B, running at http://localhost:3000
Site A embeds site B in an IFrame. Site B needs data to work with, which is supposed to be provided by site A. However, right now site B only accepts data via URLs and since the original URL might need authentication, data is fetched by site A, converted to an object URL (with URL.createObjectURL) and then provided to site B via postMessage. Site B is now supposed to fetch the data from that URL and work with it.
However, fetching of the object URL by site B is getting blocked by the browser:
Chrome: Not allowed to load local resource: blob:http://localhost:3002/<UUID>
Firefox: Security Error: Content at http://localhost:3000/... may not load data from blob:http://localhost:3002/<UUID>
These message are, as far as I can see, not connected to either CSP or CORS. However, I can't understand what the problem is and whether it is fixable or not -- I have been under the impression that object URLs do not currently have any cross-site problems, which is exactly why the are being used.
So why does it happen and what can I do about it?
See https://github.com/w3c/FileAPI/issues/135 and the references therein. There is a same origin restriction in practice, but this isn't reflected in specifications as of yet. It's unlikely we'll remove that restriction as blob: URLs make it easy to create memory leaks. (In fact, we want to place more restrictions on them: https://github.com/w3c/FileAPI/issues/153 .)
If you have a postMessage() API you'll need to extend it whereby you either message a URL or an object. Messaging the Blob instance itself should work.
Is there a way to get a list of all the GET Requests an external Website sends? When I load a website and open the developer tools -> network -> XHR thats the list I want. But I want to get it via PHP or JS - is that possible ?
Has anyone see the following error before??? If so, please provide some advice.
" Uncaught SecurityError: Blocked a frame with origin "https://project-1283108821180873675.firebaseapp.com" from accessing a frame with origin "http://localhost:9000". The frame requesting access has a protocol of "https", the frame being accessed has a protocol of "http". Protocols must match."
Thank you,
You're trying to access a file from http://localhost in an app that you published. That will not work for two reasons:
visitors to https://project-1283108821180873675.firebaseapp.com won't have access to your machine (which is what localhost refers to)
you're trying to load the nested page over http, while the main site is loaded over https. That is a common phishing technique, so disallowed by all modern browsers.
Replace the iframe src attribute with a relative URL (removing the http://localhost:9000 part).
See Firebase: Why $firebaseSimpleLogin throws a SecurityError?
Part of a site I am working on at the moment requires Audio/Video previews.
These are server from a different server to the main site.
The Streaming URL is of the form:
www.myserver.com/Preview.aspx?e=I_AM_AN_ENCRYPTED_KEY
The Key is generated by the server that hosts the file, not the site on which the previews are actually displayed. It's kind of an API.
Part of the security to stop these previews being played anywhere except this website is supposed to check the domain which is requesting this, but it seems that HttpContext.Current.Request.UrlReferrer is NULL when requested from an HTML5 video/audio element.
Without posting the domain along with the Key to the API, is there any way that I can get the referring URL on the receiving server, server side?
EDIT:
To clarify:
There is a website with HTML5 elements which are directed to a URL on a different server, the URL and key is provided by this server (not the website)
When the API server receives a request to stream the preview it checks the Key (which basically tells it what to play) and also checks for the referring domain against a list of allowed domains.
Figured it out - in case anyone cares...
Simply replace:
ReferringDomain = HttpContext.Current.Request.UrlReferrer
with :
ReferringDomain = HttpContext.Current.Request.Headers("Referer")
Sorted! :)
I'm trying to resolve a bug, but i can't.
My problem is :
In my phonegap application, i need to integrate an iframe (I can't give my url for safety reasons). My iframe is displayed but i have an error message.
The iframe try to setCookies on the device and read it. If i launch the iframe on safari directly or if i use InAppBrowser of Phonegap, i have no problem/error. But through phonegap "iframe", I get an error.
The log are :
Blocked a frame with origin "http:// URL_IFRAME:NUMBER_PORT" from accessing a frame with origin "file://". The requesting access has a protocol of "http", the frame being accessed has a protocol of "file". Protocols must match.
I hope to be fairly accurate.
Thks