X-Frame ORIGINS in IFRAME

Question

A while ago I created an application whereby clients connect to a server using WebRTC protocols.

The clients screen is made up of two halves. One half is linked to the server and receieves things like messages, and has the web page which has the WebRTC javascript in it. The other is an IFRAME. When the client connects to the server, the server sends the client a web address which is loaded in the IFRAME.

I know that some web pages cannot be loaded in an iframe, examples typically having password screens. Google forms does not appear to have this restriction, which is great.

So now imagine I launch a server and ask 20 people to connect to it. All 20 students connect to the server properly, I know because it comes up with all their details on my computer. Typically, from my testing, 15/20 will be fine. The other 5 will get a white screen. When I investigate in the console it is an XFRAMES ORIGIN problem, its saying the webpage being loaded will not allow itself to be loaded in an iframe. However everybody else (who are using the same browser [chrome], and some the same browser version) are fine.

Now I have one solution which works for some students, there is a setting in chrome which is called:

block third party cookies and site data

If this is enabled it doesn't work, if its not enabled it does work.

Now I have 4 students left who still just see a white screen whom I have no solution for. Chrome and Firefox both support the software but both produce the same issue.

The building setup is that students connect to the internet through a server. They must connect via this server as my nameserver is not local and indeed my website is not local either.

I dont think it is a coding issue as it only happens on a few select computers and everything else works just hunky dory. Thus I think it might be an issue with something else: firewall, security settings, config button etc. If anybody has any suggestions for what i can do to remedy this then I would be very grateful for your help.

I have tried to supply all info I believe to be relevant (hense the length) but anything I have missed please ask.

Thank you. Alex

Answer 1

If the main site's URL is different than the iframe's URL, you'll get an xframes origin problem. This includes the protocol (http vs. https) and full domain (example.com vs www.example.com). In other words, if a user goes to example.com and the iframe uses www.example.com it could cause an xframes origin error. Or if they go to http://www.example.com and the iframe uses https://www.example.com you might get this error.

Answer 2

OK so for people who encounter this issue in the future I am going to create an update this post here. Basically it is for people who want an answer to the issue of iframes just displaying a whitepage.

With these three solutions I have eliminated all my issues, but as I come up with new ones I will post them here. Hopefully its useful to somebody :)

SOLUTION 1

If your iframe is aiming somewhere that requires the user to log in, it is unlikely to work. Password pages are rarely cross origin for obvious and good reasons. The solution is to ensure before they use your iframe page they log in fully to what they are doing, or provide an error message that gives them this information if it happens. See this post for details: Catch error if iframe src fails to load . Error :-"Refused to display 'http://www.google.co.in/' in a frame.."

Where I am we had dual login, so they sign into google and then into the organisation. Both these login areas will cause your page load to fail.

SOLUTION 2 (Chrome ONLY)

Some services react badly to QUIC mode, and some of my users have had issues due to this.

To fix:

  1. chrome://flags
  2. change QUIC mode to 'Disabled'

SOLUTION 3

If you are working via a proxy server that requires cookies, users may have issues if they have the 'Block third-party cookies and site data' button enabled. Disabling this had a positive effect on how well the iframes were working.

In chrome:

Settings
Search for cookies
Click 'content settings'