Simple Machines Community Forum

Customizing SMF => Tips and Tricks => Topic started by: vbgamer45 on January 11, 2019, 12:02:05 PM

Title: [HOWTO] Allow SMF 2.0.x to run in an iframe
Post by: vbgamer45 on January 11, 2019, 12:02:05 PM
In this simple guide we will show how to allow SMF 2.0.x to run in an iframe.

Open your index.php in the root directory of your forum

Find
Code: [Select]
header('X-Frame-Options: SAMEORIGIN');
Change to
Code: [Select]
// header('X-Frame-Options: SAMEORIGIN');
Title: Re: [HOWTO] Allow SMF 2.0.x to run in an iframe
Post by: live627 on January 11, 2019, 10:31:57 PM
Wouldn't this then open the door to clickjacking (https://www.owasp.org/index.php/Clickjacking)?
Title: Re: [HOWTO] Allow SMF 2.0.x to run in an iframe
Post by: Aleksi "Lex" Kilpinen on January 12, 2019, 02:22:07 AM
There are risks, but there are also valid usecases.
Title: Re: [HOWTO] Allow SMF 2.0.x to run in an iframe
Post by: Kindred on January 21, 2019, 10:49:34 AM
personally, I think that iframes are outdated at this point.... with the various SSI functions from pretty much every site, why would you open yourself to the potential security issues?
Title: Re: [HOWTO] Allow SMF 2.0.x to run in an iframe
Post by: Masterd on February 02, 2019, 12:34:35 PM
Wouldn't this then open the door to clickjacking (https://www.owasp.org/index.php/Clickjacking)?

It most certainly would. Iframes are an outdated and risky concept at this point.
Title: Re: [HOWTO] Allow SMF 2.0.x to run in an iframe
Post by: spiros on April 08, 2019, 01:00:43 PM
Even better, define extra sites with Content-Security-Policy: frame-ancestors

https://www.simplemachines.org/community/index.php?topic=566974.msg4015060#msg4015060
Title: Re: [HOWTO] Allow SMF 2.0.x to run in an iframe
Post by: vbgamer45 on April 08, 2019, 02:12:37 PM
Learned something new.
Title: Re: [HOWTO] Allow SMF 2.0.x to run in an iframe
Post by: spiros on April 09, 2019, 09:23:42 AM
Well, we all live and learn, took me a couple of hours searching to sort it out...
Title: Re: [HOWTO] Allow SMF 2.0.x to run in an iframe
Post by: Douglas on December 30, 2019, 06:17:49 AM
While I know this is an older topic, is there a variation of this available for SMF 2.1xx?
Title: Re: [HOWTO] Allow SMF 2.0.x to run in an iframe
Post by: Illori on December 30, 2019, 07:17:36 AM
it is a feature in the admin panel. I don't recall where but you can configure this directly there.
Title: Re: [HOWTO] Allow SMF 2.0.x to run in an iframe
Post by: lurkalot on December 30, 2019, 07:30:58 AM
it is a feature in the admin panel. I don't recall where but you can configure this directly there.

In Admin > Maintenance > Server Settings > Security:  Frame Security Options

Or Just type the word frame into the admin search box.  ;)
Title: Re: [HOWTO] Allow SMF 2.0.x to run in an iframe
Post by: Douglas on December 30, 2019, 08:06:48 AM
I heart y'all!  Thank you, thank you!
Title: Re: [HOWTO] Allow SMF 2.0.x to run in an iframe
Post by: Douglas on December 30, 2019, 09:44:46 AM
Okay, since y'all helped me, I've worked through a process to allow the iframed page title to be fed back to the parent page's page title... I want to post this as a tip and trick, of course, but can't seem to create a new topic for this (and, yes, I've read the instructions).

I'll have to make this post somewhere else, come back here and link to it, and let the SMF team have at it.

Posted... just to ensure I'm complying with the Tips and Tricks guidelines, I've posted it on one of the SMF Friends private board.

This will allow the SMF Team to review and decide to approve/reject. :)