Updating details to understand more: *In my project, user uploads html themes. For each user, if they authenticate, I am creating a public static folder for authenticated user in the same theme folder they are requesting. Then there is a editor in the front end where they can edit html theme contents. I am trying to show html themes in the editor using a iframe using the static link from backend. But the problem is I can't add script to the html theme in the iframe. It's saying permission denied. How can I solve this problem?
I am using express in backend and nextjs in frontend. I have added this code in helmet middleware.
app.use(
helmet({
contentSecurityPolicy: {
directives: {
'connect-src': ["'self'", 'http://localhost:3000'],
'default-src': "'self'",
'frame-ancestors': ["'self'", 'http://localhost:3000'],
sandbox: ['allow-forms', 'allow-scripts'],
'script-src': ["'self'", 'http://localhost:3000'],
},
},
})
);
For cross site scripting,
app.use(xss())
But still getting error in iframe.
From Backend I am trying to allow a route to be use in iframe in the frontend. Since, both server have different port in localhost, it's violating cross site embed and scripting. So, I am using helmet and xss package. I need help to configure it.
I am using iframe's onload attribute to check if it is loaded and then injecting another script to the iframe from frontend.
You have an issue of Same Origin Policy, not with Content Security Policy. Helmet package can't help you.
Set the value document.domain = 'example.com'; (example.com = 'localhost' in your case) both in the iframe and in the main page. It will reset port number to null and subdomain any.example.com to domain example.com, see test.
If both iframe and main page are on the same domain, you can just set document.domain = document.domain;.
Both variants leads resetting port number to null. therefore yoy'll be able to acces iframe with a different port number.
Related
I am challenging with my own React Native browser, in that i want to inject my javascript code to iframes in page to discover Resource Timing API. With Main Frame everything is good but with iframes i got "Blocked" by not Same-Origin.
I resolved this by fetch it & add to iframe by srcdoc or access from local file. Some site is running but others are not because it has relative url in its resourses (Ex : image, js, css...). I also try html prop & local file for main frame with baseUrl prop & run ok, but with iframe whether there is anything as baseUrl ?
I think,
The same origin is security check for the site you are trying to access, and it can only be accessed by domain that the site is from, using iframe the origin will be your domain and child site will always block this as requesting domain is different.
If you still want to use the sites which throws same origin error you might need to whitelist your domain at there site first.
I just deployed my Vue app to my website using GitHub Pages.
The website is successfully hosted at https://astroorbis.com.
Here's the problem; When you click the "links" button at the top of the page, it successfully nagivates you to https://astroorbis.com/links, but when you try visiting the URL itself (typing in https://astroorbis.com/links) into your browser, it returns a 404.
There are other links that have the same error, such as /discord, /github, etc.
I tried the solution at Vue Router, GitHub Pages, and Custom Domain Not Working With Routed Links, but it failed as well.
What would be the solution for this?
As stated in this section of the HTML5 mode
Here comes a problem, though: Since our app is a single page client side app, without a proper server configuration, the users will get a 404 error if they access https://example.com/user/id directly in their browser. Now that's ugly.
Not to worry: To fix the issue, all you need to do is add a simple catch-all fallback route to your server. If the URL doesn't match any static assets, it should serve the same index.html page that your app lives in. Beautiful, again!
So, the solution would be to use something like that
const routes = [
// will match everything and put it under `$route.params.pathMatch`
{ path: '/:pathMatch(.*)*', name: 'NotFound', component: NotFound },
]
On Netlify, you also need to add the following for it to work
/public/_redirects
/* /index.html 200
So I'm not sure about Github Pages but you should have something similar there, some way of catching all routes and sending them to the index.html of your initial SPA page load.
Otherwise maybe just give a try to Netlify with the _redirects configuration.
Maybe this article could help regarding Github pages.
The hack in your given link seems to be the only viable solution but it's still bad for SEO so yeah, depends if you want any (I guess so).
In that case, you could try Nuxt.js, Gridsome or Vitesse if you want to have some statically generated pages (best approach regarding SEO).
I've uploaded a new static blog to GitHub Pages using Ghost and Buster.
Github Repo: https://github.com/paddy420Smokers/cannalogie
I've added the code below to force all pages to use https:// , on the Frontpage and Category Pages its working fine, but on Posts only https:// is there but it's not fully secured.
<script>
var host = "cannalogie.net";
if ((host ==window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
Does anyone know how to fully secure all pages and posts?
Looking at the developer tools, it looks like you're loading something that over http while the rest of your page is loaded over https. That causes the whole page to be considered insecure and not show the lock symbol, even if the url shows https.
It looks like you're loading a .gif over http. If you change the url to load it over https, the error should go away and the lock should appear.
In my webpack config I have the publicPath set like so:
publicPath: '/js'
This way it points to public/js. Also in my index.pug file, which is loaded by the server and not in the public folder I have this:
extends layout
block content
main#app
script(src="/js/bundle.js")
Unfortunately, this enables people accessing my site to visit example.com/js/bundle.js. Is there a way to prevent this?
If /js/bundle.js is a script file you are using in your web page, then there is NO way to prevent the browser from going directly to http://example.com/js/bundle.js. That's the exact URL that the browser uses to load the script from your web page so that URL has to work.
ALL Javascript that runs in your web page is openly available to the public. You cannot change that. That's the architecture of the web and browsers.
Unfortunately, this enables people accessing my site to visit example.com/js/bundle.js. Is there a way to prevent this?
No. You cannot prevent it.
I've have weird issue, on dev theme (preview mode) $.get request works fine -> https://woolet-co.myshopify.com/blogs/news
but on active theme on main domain https://woolet.co/blogs/news there is an error, I can't figure it out why its happening.
If you try this code in console on both URLs you will see the response code error on main domain:
$.get('/admin/blogs/19692355/articles/229491718.json', function(data) {
console.log(data);
});
I guess that it's connected with domains, on https://woolet-co.myshopify.com/blogs/news $.get request works fine and on https://woolet.co/blogs/news it shows error in console.
I've tried to execute $.get request through Shopify Private App with login and password included but without any result.
This isn't working for you because your XMLHttpRequest is for a different domain than the one the page is on.
For this to properly work, you need to enable CORS. I would also suggest putting in the absolute URL of where this JSON file is located.
It would work on your preview mode. Because there both shop url and admin url are on same domain
https://woolet-co.myshopify.com/blogs/news
But when you try to browse using your real domain "https://woolet.co/". The domain from where you are making the get request and the domain from where the file is coming becomes different. ( https://woolet-co.myshopify.com/admin/blogs/19692355/articles/229491718.json )
As far i know you can not enable cors on shopify
and
It wont work because "https://woolet-co.myshopify.com/admin/blogs/19692355/articles/229491718.json" requires you to be logged it to the store as admin.
Try some other way.