I have a website that uses the Facebook login button and
connect.facebook.net/en_US/all.js
As of friday, I started getting a cross-origin security error when new users were trying to log in.
Uncaught SecurityError: Blocked a frame with origin "https://www.facebook.com" from accessing a frame with origin "http://www.facebook.com". The frame requesting access has a protocol of "https", the frame being accessed has a protocol of "http". Protocols must match.
Instead of redirecting after login, the dialog box just turns to a blank white screen.
This is only happening in Chrome. Everything runs smoothly in Safari and Firefox.
Anyone else experiencing these issues?
Any ideas about a possible fix?
Related
With the new permission request API introduced in Safari on iOS 13, I get this error when doing the permission request on a cross origin iframe:
Call to requestPermission() failed, reason: Source frame did not have the same security origin as the main page.
I could not find any corresponding Feature-Policy to add to the iframe "allow" property: neither 'accelerometer' or 'gyroscope' worked...
Is there a way to allow DeviceOrientationEvent.requestPermission() on cross domain iframe?
The only workaround that worked for me is redirecting through the iframed domain once.
So, if you have abc.com and xyz.com is an iframe under abc.com, while landing to the abc.com, there needs to be an intermediate redirect through xyz.com only for the purpose of setting a blank cookie. Then Safari will allow setting a cookie from iframe for xyz.com.
I'm not sure if there's any other better workaround. However, this worked and served my purpose.
Thanks.
at the moment I have an issue regarding implementing an iFrame into my ionic app. Everything is working if I open the Page, where the iFrame is embeded, on Android. But if I open the page on iOS I get an error in my console which says:
Blocked a frame with origin "http://mywebsite.com" from accessing a frame with origin "file://". The frame requesting has protocol of "http", the frame being accessed has a protocol of "file". Protocols must match.
How can I fix this issue? Do I have to make changes on the Page which I'm trying to embed or do I have to change something within the app?
Best regards and thanks
I was trying to host a web page in the chrome extension popup and was hitting error X-FRAME options set to deny or SAME ORIGIN. As an alternative approach I opened up the page in new chrome browser instance and injected the script into it so that i can send the message from the page to content script and then back to my popup page once the work is done in the new window . UI experience of this approach does not look good and hence wanted to go via Iframe route. My extension has all url permissions in manifest.xml
Can someone suggest the right approach by which we can host a web page in IFRAME in chrome extension popup and get around the deny and SAME ORIGIN. Also will this be correct with respect to security .
I came across this unanswerd blog but seems to me a hack. Hence wanted to get clarity on chromium - extension forum.
Getting around X-Frame-Options DENY in a Chrome extension?
I'm using Google Chrome and Adblock Plus.
Firstly, I opened https://www.google.com.sg/ with Chrome and then open a console and input window.open("https://www.google.com.sg/") in the console.
Then a new window will appear. I input window.opener.document in the new window's console, but it throws an error:
"Blocked a frame with origin "https://www.google.com.sg" from
accessing a cross-origin frame."
I am quite confused because I'm using same-origin frame (Both window are from the same origin "https://www.google.com.sg") instead of cross-origin frame.. Why does the brower still complains about the Security Error?
I'm developing a mobile app which runs a simple HTTP server and a WebView. The WebView displays an external website which should access the server via javascript (GET). Unfortunately this doesn't work and I assume it's due to the same origin policy but the console doesn't show any errors. I had a similar error before which required me to define "Access-Control-Allow-Origin: *" on the server side. This error already took a while to find because there were no error messages (Firebug "Net" tab showed a completed GET request with empty "response" data). Now I assume a same origin policy violation in the external script, but it's hard to tell because of the missing error messages. The only "hint" I see is in Firebug "Net" tab, showing a connection which "never completes". I checked the packages sent to localhost but there wasn't even a connection attempt => thus I assume the browser is holding it back.
How do I display Javascript "same origin policy" violation errors in Firefox (ext: Firebug, Webdeveloper)?
Firefox(3.6.20 and Chrome) throws an error on XMLHttpRequest cross domain violations. These errors can being silenced by try{...} catch(ignore){} blocks. If you know the actual path of the request you can check in the Firebug's "Net" tab, all the requests(even those denied by "same origin policy") show in the "All" section, and in the "XHR" section those denied by "same origin policy" don't.