Is there any way any error happens on page we can suppress the error. When we he have Iframe where we are loading third party websites which we don't have any control
Only way to suppress the error is if the code runs on your domain and you can catch it with window.onerror. If it is on theirs [in iframe/frame], there is nothing you can do.
Tell them to fix it or do not include their page.
You cannot modify the code or behavior of a site from a different domain that's in an iframe or a frame. The browser prevents any cross domain modifications. See the "same origin policy" at MDN for details.
It would take a browser plug-in to do what you are describing. If you want to display third party sites in an iframe/frame, you get whatever behavior they produce.
Related
In our web app/site, I need to use an iframe or a popup window to validate if the current token is valid and refresh it if no.
So, I create an iframe, and set the property 'src' to the validation link such as "https://<domain_name>/auth?client_id=xxx" which is different to our app domain https://<app_domain>. and the return value will like "https://<domain_name>/code=yyyy"
document.createElement('iframe');
and I added the message handle for the web app/site, like
window.addEventListener("message", this.messageHandler);
in the messageHandler, I will check if the message is from a specified website, and then validate the "code" value, blabla, etc.
But when running in Chrome, I always got the error
"Blocked autofocusing on a element in a cross-origin subframe."
what confused me is:
it always failed when running in the Chrome browser, but it can work fine in Firefox and Edge chromium.
I tried to set iframe.sandbox = "allow-forms allow-scripts allow-same-origin", the problem still existed.
If the validating token failed in iframe or timeout, I will create a popup window to continue validating and refresh the token. But every time, using popup window can always succeed. If it is really a cross-origin issue, why using iframe failed but using popup window succeeded.
I didn't use window.postmessage. because I don't know how to pass the return value of iframe/popup-window to the main page.
I used CORS extension of Chrome or using parameter --disable-web-security when launching Chrome. the problem still existed.
when I created the iframe or popup window. it is very simple, I just set the iframe.src property, there is no element being created.
any help will be much appreciated.
p.s.
I refer to the following doc:
Blocked autofocusing on a form control in a cross-origin subframe
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
Support for iframes in web development will only get worse over time as they are a security black hole, browsers are gradually over time locking out features and use of them.
I am assuming you are doing this because you are validating a user on a third party service, validating by watching the response of a third party service website?
Without knowing the service you are using I cannot comment specifically but for anyone looking to do something similar I would highly suggest not doing this:
As mentioned, iframes are constantly having features locked down due to security concerns
An attacker could change the source of the iframe and submit their own iframe to look like it has been correctly validated
It's unlikely that the page you are using as your iframe src is intended for this use, which will come back and bite you when the 3rd party developer changes how their page behaves, which they likely will do without knowing it's going to break your application
I recommend:
Finding a stable API the 3rd party service offers and using that
Finding another service if none exist
Apologies to rain on your parade!
I disagree that iframes are a security risk, rather they can be if not implemented properly.
How to implement them properly should be asked in another question and probably starting with a carefully implemented Content Security Policy as a priority.
I also use iframes within a Chrome extension that has to pass rigorous Google security.
As for the question, I've noticed that error too and I am focusing on an input box when the iframe is loaded and the focus works! I put it down to being a Chrome bug as the warning suggests it has stopped auto focusing when it hasn't.
As for the un-related point about passing the value back to the parent holding the iframe, I can help you with that, but you should ask it in a new question.
Disable some feature of browser setting
Browser Changes
chrome://flags/#cookies-without-same-site-must-be-secure
chrome://flags/#same-site-by-default-cookies
chrome://flags/#enable-removing-all-third-party-cookies
Above URL just paste it and disabled it. Then ok and relaunch the browser.
Then done it.
Is there any way to detected if a iframed page is sandboxed or not?
I have tried the sandbuster js library but it no longer seems to work over cross-domain.
I also tried to catch exceptions on window.frameElement, but it's always null.
The reason i am asking is the sandboxing feature is used by someone to bypass our protections and load our content without tracking and advertising.
So I am going to be brutally honest about my motive. I am using one of the many video streaming sites out there...it has great quality content, however it has tons of popups and it doesn't work when my ad-blocker is on.
I have been trying to disable the ads when I load the page, but I am unable to set values of the attributes inside of the iframes.
I can select the iframe itself using:
window.frames[x]
However once I try and do anything example
window.frames[1].getElementByClassName('classname').length
I get an error in the console log that says
Uncaught DOMException: Blocked a frame with origin
"http://url.com" from accessing a cross-origin frame.
Any suggestions on how I can circumvent this? I have seen similar posts, but most people are trying to interact with the iframe they are using on their own sites, I want to use a chrome extension to inject the js onload for the site I am accessing.
I imagine the reason I cannot do this has to do with security restrictions, but I figured it was worth a shot asking.
The only way to do this is to setup your own local proxy server and use that to inject your JavaScript into their page.
I have a very old site built in ASP .Net 2008 by an external team who I have no contact with. All of a sudden a page doesn't seem to render properly in Chrome and FireFox but works fine with other browsers. The page is set with an iFrame.
Looking under Inspect Element (Chrome) for the page failing to render I see the error
Refused to display 'http://www.example.com/somepage.html' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN, SAMEORIGIN'.
So read a few articles and I may not understand this fully but it seems to me the error is, the domain requested will NOT allow itself to be displayed within a frame.
The URL above is not the URL I am familiar with (i.e. its third party, I don't have any control with it). Is there anyway to resolve this or is this purely the owner of the domain would have to allow? IF so why does it work in other browsers?
Is there anyway to resolve this
Not at your end.
or is this purely the owner of the domain would have to allow?
This
IF so why does it work in other browsers?
Speculating a little here, but SAMEORIGIN, SAMEORIGIN is not a valid value. It looks like Chrome is attempting error recovery and treating it as SAMEORIGIN
Quentin answer summaries it well.
In addition, if it is an external site beyond your control, they may have good reasons to forbid framing. (Like preventing click-jacking.)
They may also have included a Content-Security-Policy:frame-ancestors 'self' header which would have the same effect.
(And currently, a bug in Chromium (and Chrome) causes X-Frame-Options to take precedence over Content-Security-Policy while it should not.)
You may hack that if their site is served over http (not https) and you have control of a common network device through which all your users network traffic to this site must go. I mean, on that device, if it does allow you to do so, you may filter out 'undesired' headers from responses of this site.
Of course, this is a debatable hack. Depending on terms of uses of the 'victim' site, it could even be a legal issue to do so.
What are the application security risks of including a hidden 3rd Party iFrame?
If I understand correctly...
Click jacking isn't an issue for me because I own the parent page
Same-Origin Policy prevents 3p frame from interacting my dom/cookies/js
The frame is hidden, so I don't have to worry about anything that may be displayed in the frame
However I did some experiments in the Chrome console and...
3p frame can call things like alert/prompt
3p frame can redirect the parent via location.href
Malware inside the 3p frame (java/flash/activeX) could infect my user
I'd love to see a list of the possible issues and any mitigations, but I can't find a good source of information.
So...What are the application security risks of including a hidden 3rd Party iFrame?
If you are implementing Iframes on your website, you could use the sandbox tag in HTML5' iframe to prevent yourself/others on your website.
Source: http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox
I don't know how effective it is (the sandbox feature), but it states it can restrict scripts, forms etc inside the iframe.
<iframe sandbox="" src="www.example.com"/>
Although not a guaranteed and effective method, it's one of many different ways. On your end though, you could use add-ons such as NoScript to prevent certain/all scripts from running.
It's possible that the 3rd party iframe, as you said, could use exploits such as drive-by-downloads, browser exploits to gain access to your OS and possibly more.
See also here: Why are iframes considered dangerous and a security risk?
Hope this helps.