How can I disable anti iframe protection / cross-orign access? My webmin is located at https://webmin.SOMEDOMAIN.com/ and page with iframe is in http://admin.SOMEDOMAIN.com/
If you are referring to "Referrer checking enabled"/ Trusted website options, it is configured at this address: https://webmin.SOMEDOMAIN.com//webmin/edit_referers.cgi
Related
I am working with an application where another application is embedded inside an iframe.
The embedded application uses a google service which requires authentication.
Of course Google is not happy about this
Refused to display 'https://accounts.google.com/signin/oauth/error?authError=[...characters...].apps.googleusercontent.com' in a frame because it set 'X-Frame-Options' to 'deny'
Is there any alternative for authenticating and connecting to this service within the iframe?
If X-Frame-Options is set to DENY then supporting browsers will refuse to display the site in an iframe regardless of site settings or domain.
This behavior is intended to prevent clickjacking attacks.
If you have control over the browser your users are utilizing, you can select a browser that does not support X-Frame-Options.
I am using an iFrame which is hosted on another domain that has an SSL certificate. On the page where the iFrame is used I get 'Not Secure' message next to the domain in Google Chrome and the following warning in the console log:
This page includes a password or credit card input in a non-secure
context. A warning has been added to the URL bar. For more
information.
Note: The iFrame loads an online booking portal which includes both login details and credit card information.
In order to prevent this message from showing, would I need to purchase an SSL certificate?
I'm asking because I don't want to order one if it doesn't resolve the issue, there is a way around this without having to get a SSL certificate or if it's just not worth getting one for this situation.
Your thoughts would be highly appreciated.
Thanks in advance.
To help users browse the web safely, Chrome indicates connection
security with an icon in the address bar. Historically, Chrome has not
explicitly labelled HTTP connections as non-secure. Beginning in
January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords
or credit cards as non-secure, as part of a long-term plan to mark all
HTTP sites as non-secure.
It applies to all sites that are not https.
Do check for any website which have login information and doesn't have https, you can view the username and password in the chrome developer window.
security page documentation
after upgrading to Safari 9 I'm getting this error in the browser:
[Warning] [blocked] The page at https://localhost:8443/login was not allowed to run insecure content from http://localhost:8080/assets/static/script.js.
Anyone knows how to enable the running of insecure content on the new Safari?
According to the Apple support forums Safari does not allow you to disable the block on mixed content.
Though this is frustrating for usability in legitimate cases like yours, it seems to be part of their effort to force secure content serving / content serving best practices.
As a solution for you you can either upgrade the HTTP connection to HTTPS (which it seems you have done) or proxy your content through an HTTPS connection with an HTTPS-enabled service (or, in your case, port).
You can fix the HTTPS problem by using HTTPS locally with a self signed SSL certificate. Heroku has a great how-to article about generating one.
After setting up SSL on all of your development servers, you will still get an error loading the resource in Safari since an untrusted certificate is being used(self signed SSL certificates are not trusted by browsers by default because they cannot be verified with a trusted authority). To fix this, you can load the problematic URL in a new tab in Safari and the browser will prompt you to allow access. If you click "Show Certificate" in the prompt, there will be a checkbox in the certificate details view to "Always allow content from localhost". Checking this before allowing access will store the setting in Safari for the future. After allowing access just reload the page originally exhibiting a problem and you should be good to go.
This is a valid use case as a developer but please make sure you fully understand the security implications and risks you are adding to your system by making this change!
If like me you have
frontend on port1
backend on port2b
want to load script http://localhost:port1/app.js from http://localhost:port2/backendPage
I have found an easy workaround: simply redirect with http response all http://localhost:port2/localFrontend/*path to http://localhost:port1/*path from your backend server configuration.
Then you could load your script directly from http://localhost:port2/localFrontend/app.js instead of direct frontend url. (or you could configure a base url for all your resources)
This way, Safari will be able to load content from another domain/port without needing any https setup.
For me disabling the Website tracking i.e. uncheck the Prevent cross-site tracking worked.
i wondering, it is possible to redirect ALL WEBSITE to a URL(authentication page) in localhost (wampserver)..
after client login (in the authentication page) with correct ID and PASSWORD, then the client will be able to access to any WEBSITE.
You could setup basic authentication in apache. Edit httpd.conf by clicking through from the WampServer icon and follow these instructions. However, instead of using <Directory "/var/www/html/protected"> and doing it for each vhost, use <Location />. This is because each site will match that location directive so will all need to run the same authentication before sites will be shown.
If you didn't want to use basic auth in this manner, then I'd suggest you setting up shared authentication on your sites (like stack uses OpenID) or looking at something like CORS, but that seems like a lot of work.
The final thing I'd point out is IP restriction. We have some clients/staff/etc that access our dev servers but it's all locked down to specific IPs and luckily so far everyone who's needed it has had a static IP. This may not be an option.
I was enabling "Encrypt Login Form" for my joomla website but after user logging in, it always forwarded to https:// url. Is there any easy way to force forwarded url to use http:// ? So the ssl will be used for login or registration purpose only?
Thanks