I have a website and want to embed LinkedIn follow button on the site
Refer: https://developer.linkedin.com/plugins/follow-company
I added a LinkedIn follow button to my site, registered my site URL with LinkedIn.
Scenario:
Click the Follow button on my site
A popup appears asking for login credentials
Logged with correct credentials.
Popup closes, my website page refreshes but follow button is removed from website.
I refresh the page again, follow widget again appears with count and following text.
Error on browser console:
Load denied by X-Frame-Options: https://www.linkedin.com/company/follow/submit?id=<Company Id>&fl=start&src=btn&rd=json&ft=0_2MZDSRL3TZnOwVljzvjnGEkdKYCNzL1pCmG7GZUzmtDgbGCJ60vYC_qf6CcabmUV-kkmaf1In8FlOqBM6Ym3Je&csrfToken=ajax%3A4802512393226623262&trk=cws-btn-follow-0-0&ajax= does not permit cross-origin framing.
When we check LinkedIn headers, it says X-Frame-Options: sameorigin
Related
I've recently started developing e-commerce app with multiple types of users, and currently I am experiencing some issues with browsers Page Cache. Here is one example for user authentication
Authentication Token is generated
Authentication Token is written into the database
Authentication Token and its expiry is saved into the user session
I wrote middleware that checks if user is authenticated and if its authorized (checks the token and access level) as well as expiry - tested it, it works. On "Log Out" I am destroying a session and renewing the token with Session.Destroy(r.Context()) and Session.RenewToken(r.Context())
Here is the problem:
I log in as "Admin" and go to DASHBOARD page for which only admin users are authorized to access.
I logout
I login as regular user and click "BACK' on browser it takes me to Dashboard page when it should not. But, when I refresh the page it does say "UNAUTHORIZED" which is what I was expecting when clicking "back" or something.
I was searching through the internet and found a "solution" where I set the headers in the following manner:
w.Header().Set("Cache-Control", "no-cache, private, max-age=0")
w.Header().Set("Expires", time.Unix(0, 0).Format(http.TimeFormat))
w.Header().Set("Pragma", "no-cache")
w.Header().Set("X-Accel-Expires", "0")
This however, does not work for me. I do see these headers in the NETWORK card when I open my Web Developer Tools, but problem remains.
What am I doing wrong?
Good day!
I've been googling for a long time, but still no success.
Problem:
Let's supose we have a google document, which have embeded into some site with iframe, following google docs guide. User have one tab in which he is authorized with it's account in google. He visites our site and see document. He can access it, edit it, and whatever he whants.
Now, he desides to change his auth in google, he logs out and than logs in with different account. He DOESN'T reload our site (because it is ajax based), and now he tries access our document. And here comes a fail. He sees a blank page. in chrome js console there is an error:
Refused to display https://**docs**.google.com/SamplePDFURL in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN.
In iframe src = "docs.google.com" .
What happens? When user changed authorization, it's cookies have been changed and he became not authed for this doc and google automaticaly redirects frame to account.google.com auth page. BUT! This auth page is on different domain ACCOUNT. , and since google follows "same origin" security policy, we get error in console and blank iframe for user.
How to work around this?
Please help somebody.
As I said, I didn't find any working solution for this.a
Currently my client have 2 websites, for example: abc.com and us.abc.com. They want that everytime an user from US access abc.com, he/she will be redirected to us.abc.com. That can be solved very easy, however after solved that issue, I have ran into another issue related to Facebook.
That's when an user browse abc.com and they click share facebook button somewhere in the website, what was shared is always what appear in the home page of us.abc.com.
What I think is that because Facebook server is in US, so when facebook made the request, it was redirected to us.abc.com => Cause the issue.
Are there anyway to white list facebook request and skip it from the redirect rule ?
Yes, you can detect that Facebook is making a request. You can do this by using the request headers, as explained in the question How to recognize Facebook User-Agent
.
Based on those user-agent strings, you can decide wether to redirect.
I'm doing a website where I have a Share button for Google+. I'm trying it in my localhost server and when I click the button, it turns red with an advice. In the advice I read these motives of error:
Server timeout: Check your Internet connection and try refreshing the
page.
Suspended profile: If your profile has been suspended, you
won't be able to +1 content.
Apps user: If your administrator hasn't
enabled Google+ for your domain, you won't be able to sign up for a
Google+ account to use the +1 button.
Blocked cookies: If you've
disabled 3rd party cookies in your browser you won't be able to use
the +1 button.
Logged out: If you've logged out of your account, you
won't be able to use the +1 button.
I checked the different motives and I don't know how I can check the Apps user...
This is expected behavior. Google has to be able to crawl your site to generate the preview snippet for the share. Google cannot crawl your localhost server.
To share pages, the content must be publicly accessible.
I have a login page and users from different domains are redirected to this page for the purpose of SSO. I use the referrer HTTP Header field to know where the user has come from, thus on successful login, I return him/her back to his/her original domain.
But sometimes my referrer is not set, while other times it's set. Why?
Users can come to your page using different methods:
By entering the URL of your page, directly into the address bar of the browser
By clicking a link to your site from another site
By reloading your current page
By Submitting a form on your site (sending POST request back to your site)
By navigating through back/forward buttons of your browser.
By being redirected through a previous page to the current page.
Now, browsers really differ in how and when they set referrer header field. But as a general rule, you can be sure that on link click, or on submitting a form (post request), they set referrer field. Also if you have come to the current page via a redirect or a link, browser still preserves referrer header on F5 (page reload).
If you see that your referrer field is empty, it's because someone knows your Login page URL and enters that directly into the address bar, or someone has bookmarked it, so sends a GET request.
Generally, you shouldn't always expect the referrer field, because it's outside your control. You should use cookies, or query strings, because they are under your control.
the other thing is that some user may have referer option set as disabled in their browsers as a part of browser security settings.