Set iframe Protection in Apache - javascript

I am using the following
Header set Content-Security-Policy: "frame-ancestors http://bmx-tv.net https://bmx-tv.net http://site.bmx-tv.top https://site.bmx-tv.top http://ps1.bmx-tv.top https://ps1.bmx-tv.top;"
on a blank .HTaccess page to try to prevent all sites besides those listed from being allowed to iframe my website but when i save the .htaccess it breaks my website with
Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator at webmaster#localhost to inform them of the time this error occurred, and the actions you performed just before this error. More information about this error may be available in the server error log
Any idea what im doing wrong? or how to only allow certain urls to iframe me? i need this fixed there stealing my content but i cant lock it down to only parent because i have other urls i want to iframe my own content on.

Where do you get the : from? The apache docs show no : and has the following example:
Header set MyHeader "%D %t"
Therefore it should be:
Header set Content-Security-Policy "frame-ancestors http://bmx-tv.net https://bmx-tv.net http://site.bmx-tv.top https://site.bmx-tv.top http://ps1.bmx-tv.top https://ps1.bmx-tv.top;"
There is even a website which shows you how to enable and configure the Content-Security-Policy Header for a lot of systems. Also Apache.

Related

WordPress publishing failed; javascript shows errors 'Access to fetch ... has been blocked by CORS policy'

I have uploaded WordPress manually on freewebhostingarea.com using my own domain. When I create a new page in Wordpress, I get some errors in javascript console (attached image1) but it lets me add/edit content. When I try to publish the page, I get the error 'Updating failed' and javascript console gives additional errors (attached image2) as below:
"Access to fetch at 'http://e.freewebhostingarea.com/not-found.html' (redirected from 'http://www.shia-match.com/wp-json/wp/v2/pages/16/autosaves?_locale=user') from origin 'http://www.shia-match.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled."
What could I be doing wrong?
Errors when creating a new WordPress page,
Errors when trying to publish page
Just had this same problem, the cross origin (CORS) policy blocking fetching by the https:// version of a site from the https://www version.
mediaguru’s answer alerted me to check the wp-config file. I found that I had added these lines, and so removed them:
define('WP_HOME', 'https://www.example.com');
define('WP_SITEURL', 'https://www.example.com');
I then rechecked WP’s Settings > General > WordPress Address (URL) and Site Address (URL). Prior to my edit of the wp-config file, they had displayed the www URL, but greyed out and non-editable. Now they had both reverted to the non www version of the URL (and were editable).
On my (Dreamhost) server, the canonical URL is set to www. So I changed the Settings > General URLs to www and… bingo. Solved.
It sounds like you just copied your wordpress files and db from one location to another? If so, you will need to change settings in your wordpress config as well as in your database to make sure the new location is not referring to the old location's database or files.

Unable to load div with external Url

I am using asp.net MVC 5 application. In that, I am using the jquery to load the div with the external url.
Html
<div id="DivOne" class="oddNum">Div One</div>
<button id="btnOne">Load Content</button>
Jquery
$('#btnOne').click(function() {
// Action goes here
$('#DivOne').load('http://www.artisteer.com');
});
I am getting the following error message (in browser console) when in button click event.
Failed to load http://www.artisteer.com/: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://fiddle.jshell.net' is therefore not allowed access.
Here is the JsFiddle Url:
http://jsfiddle.net/Q8KVC/7533/
Note: I dont want to use iframe
PS: Okay, I think I am left with only option is to use iframes. Do we get the same issue with the iframes as well?
Use an https endpoint for your external URL, otherwise, you will end up with a mixed content error on console
you can see visit link for more understanding
mixed-content-the-page-was-loaded-over-https-but-requested-an-insecure-xmlhttprequest-endpoint
HTTPS is important to protect both your site and your users from
attack.
Mixed content degrades the security and user experience of your HTTPS
site.
For chrome if add Access-Control-Allow-Origin plugin it will solve the issue. It will work for chrome browser only

How to set X-Content-Type-Options and X-Frame-Options for html and javascript?

I am getting below alerts when we test our URL on ZAP tool:
X-Frame - Options Header Not Set
Web Browser XSS Protection Not Enabled
X-Content-Type - Options Header Missing
We have successfully set X-Frame-options and X-content type-options in REST and Servlet calls. But don't know how to set those in html and Javascripts?
can anyone suggest the solution.
The X-Frame-Options header is added on the server-side, not the client. This is because the header is used to control how the browser should render the page.
Whatever server is hosting your file would have to add this header.
From here

Error 403 Html image get

If I open these images directly on the browser, it won't work, but on the snipped it work. And I my localhost, I doesn't. Why is that? This is the error I am getting from my console log. How can I make sure that the images are always showing?
nikon-d1x-s.jpg:1 GET
http://www.vistaview360.com/cameras/images/nikon_images/nikon-d1x-s.jpg
403 (Forbidden) nikon-d1-s.jpg:1 GET
http://www.vistaview360.com/cameras/images/nikon_images/nikon-d1-s.jpg
403 (Forbidden) nikon-e3s-s.jpg:1 GET
http://www.vistaview360.com/cameras/images/nikon_images/nikon-e3s-s.jpg
403 (Forbidden) nikon-e2n-s.jpg:1 GET
http://www.vistaview360.com/cameras/images/nikon_images/nikon-e2n-s.jpg
403 (Forbidden) nikon-e2-s.jpg:1 GET
http://www.vistaview360.com/cameras/images/nikon_images/nikon-e2-s.jpg
403 (Forbidden) dance.html:145 scrool
<img src="http://www.vistaview360.com/cameras/images/nikon_images/nikon-d1x-s.jpg" "/>
The site is preventing you from accessing the images across site origins. The host is most likely only allowing origins from their domain or blocking based on a header like user-agent. They're doing this so you can't host the images on another site because they have to pay for the bandwidth every time it's accessed. So the answer is, you cannot cross host the images like this.
Instead, you'll need to download the images and host them yourself or contact the host and ask them to whitelist your domain. This will not help for localhost, however.
Most likely, the server has some checks in place to prevent hot linking.
Those checks vary in type. Some servers check the referrer string, others some cookies, etc.
I wouldn't try to include those images in your website because the intentions are clear: the remote server doesn't want you to include them and you don't know which measures they'll implement in the future to prevent you from doing that, so it could break at any time.
Instead, download those images and serve your own copies (provided you are not infringing any copyright, that is...)
If you still want to hot link them, compare the headers in the requests your browser is making with the ones sent when you can access them to try and find the culprit.

Allowing cross-site requests between subdomains without changing file contents of second sub domain

I am currently attempting to wrap a web application (ConnectWise) for inclusion within my company's central intranet site. It's a fairly simple process for the most part; create a containing page, with an iframe, point the iframe at the ConnectWise url. This part works for almost all of the functionality.
The problem comes during certain select features of the app (in this case, part of the process of creating a timesheet entry), which simply fail to work. Chrome gives the following console output.
Uncaught SecurityError: Failed to read the 'frame' property from 'Window': Blocked a frame with origin "https://app.example.com" from accessing a frame with origin "https://host.example.com". Protocols, domains, and ports must match.
I am aware this is caused by the security options for cross-site and same-origin policies. Given the following points, is there a way to overcome this?
I have full control over https://host.example.com
I can change html, javascript, and file contents
I can change IIS settings and headers
I have partial control over https://app.example.com
I can not change html, javascript, and file contents
I can change IIS settings and headers.
I have tried setting the Access-Control-Allow-Origin on each server, which so far is the only method I've come across that does not involve being able to change the file contents for the app server. This does not appear to work when given the settings (and combinations of settings) of
* or https://app.example.com while on https://host.example.com
* or https://host.example.com while on https://app.example.com
Edit:
The solution to this "duplicate" question is not applicable here. I do not have access to change file contents (including javascript) of the iframed page (app.example.com). Additionally, the script requiring the permission to run is the page within the iframe, not the page hosting the iframe.
CORS headers such as Access-Control-Allow-Origin only affect AJAX requests, not DOM access.
However, If they are both on the same domain but different subdomains then you can include the following on each page:
document.domain = 'example.com';
From MDN:
One document is allowed to access another if they have both set
document.domain to the same value, indicating their intent to
cooperate
If app.example.com has any script includes to host.example.com then you could put the above code in those scripts to set the domain.
e.g.
<script src="https://host.example.com/setup.js"></script>
No, it is not possible.
Access-Control-Allow-Origin primarily affects getting raw data from HTTP requests, not live DOMs.
postMessage can let frames on different origins communicate, but it requires JS to be included on both pages.

Categories

Resources