3

I have developed a search form which is hosted in a local server (iis, net core web site) in my company. The web site is a Wordpress hosted in another server (apache, wamp), also in the company. Both has different public IPs, but both are hosted under subdomains of the same domain.

say, wordpress.company.com and search.company.com, and I have control over both.

first time I tested using iframe plugin, everything seem to work ok, however I realized now, there is this error shown in Edge. Same behavior is shown on all browsers yet no similar messages are shown.

This content can’t be shown in a frame

There is supposed to be some content here, but the publisher doesn’t allow it to be displayed in a frame. This is to help protect the security of any information you might enter into this site.

Try this

Open this in a new window (which is a link to iframes content url)

The weird thing is I just have to press F5 and everything loads correctly.

The error in the Chrome console is:

Refused to display 'http://subdomain.mysite.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

How can I workaround this behavior?

Ricker Silva
  • 1,137
  • 4
  • 17
  • 37
  • 1
    The reason this error happens usually, is because in `.htaccess` (or elsewhere, depending on settings) the security aspect is set to "self" only, not allowing anyone to embed your site. The point of this is avoiding other sites to pretend they are you, and getting users in trouble. For example: `Header always set Content-Security-Policy: "default-src 'self'"`. And the solution would be to add the domain in which you want to embed it, to the whitelist. I don't understand how refreshing fixes it... –  May 10 '18 at 11:29
  • Can you explain how to add the domain? I mean both are under the same domain, in different subdomains, but soon, the web site will be moved to the main domain, say www.company.com. I´m not very used to this kind of processes – Ricker Silva May 10 '18 at 11:47
  • So if the existing setting is `Header always set Content-Security-Policy: "default-src 'self'; script-src 'self';"` and I add google.com, it becomes `Header always set Content-Security-Policy: "default-src 'self' *.google.com; script-src 'self';"` (`*` being a wildcard to include all subdomains, but you can type a specific one). The syntax for a CSP header is: opening quote, name of property, whitelist items, colon (repeated as needed), closing quote. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP –  May 10 '18 at 11:52
  • it seems it solved part of the problem. Now it loads immediately without refreshing, but css styles are not being loaded. what could be missing? – Ricker Silva May 10 '18 at 14:23
  • Simple! :) permissions for CSS styles: `style-src 'self' *mysite.com;`-And let me tell you that once you use CSP, you need to set permissions for JS as well (`script-src`), images (`img-src`), and there are more. See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP - it's a pain but this lets you have full control. One inconvenience (?) I recall is that there is a way to prevent CSS or JS injections, but then you cannot have ANY inline CSS or JS. They simply won't be applied, and console (in browser) will tell you "this style has been stopped because of this rule". It can be set with... –  May 10 '18 at 15:00
  • "inline" or something, but you'll find it in the docs. –  May 10 '18 at 15:03
  • thank you very much, you should post it as answer so I can check it – Ricker Silva May 10 '18 at 16:51
  • WEll, I didi manage to allow the scripts and styles I needed. However, the firs time it still blocked, and allowed once I hit F5. I open console when it blocked and the message is: Refused to display 'http://subdomain.mysite.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'. – Ricker Silva May 11 '18 at 00:41

1 Answers1

0

The problem is similar to one described here but because of .net Core. And the solution is also similar.

You can also use the recommendations done by @user770 in the comments of the question. However, that does not solve the iframe block. And neither this answer explains why refreshing the page solved the issue. However, that is not a good experience for users.

So, the solution is easy, and can be done by code, that way oyu are more secure if any one tries to overwrite the X-Frame-Otions settign in your server. Any multiple setting will derive in 'deny'.

In the startup.cs file on your project you have to add this, for preventing .net core to add 'sameorigin' setting automatically.

 public void ConfigureServices(IServiceCollection services)
 {
        //YOU CAN HAVE SOME CODE HERE

        services.AddAntiforgery(o => o.SuppressXFrameOptionsHeader = true);
 }

However, this may lead to risk in your site, and this scenario is intended to be applied when you have control on both sites and both domains.

To secure the site, you have to set X-frame-options setting to allow the domain you want. Again in startup.cs do the following.

    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        //YOU MAY HAVE SOME CODE HERE

        app.Use(async (context, next) =>
        {
            context.Response.Headers.Add("X-Frame-Options", "ALLOW-FROM http://*.MYCONTROLLEDDOMAIN.COM https://*.MYCONTROLLEDDOMAIN.COM");
            await next();
        });
    }

That way you will allow your domain to request this website within an iframe.

Ricker Silva
  • 1,137
  • 4
  • 17
  • 37