Simple Machines Community Forum

SMF Support => SMF 2.0.x Support => Topic started by: spiros on April 08, 2019, 10:12:39 AM

Title: Allow specific external site to load forum in iframe
Post by: spiros on April 08, 2019, 10:12:39 AM
How can I allow a specific external site to load the forum in an iframe?
Title: Re: Allow specific external site to load forum in iframe
Post by: spiros on April 08, 2019, 11:21:28 AM
I.e. add in index.php the second line?

Code: [Select]
header('X-Frame-Options: SAMEORIGIN');
header('X-Frame-Options: allow-from http://otherdomain.org/');
Title: Re: Allow specific external site to load forum in iframe
Post by: Arantor on April 08, 2019, 11:29:42 AM
The second line replaces the first (a header can only exist once) but not all browsers respect that setting, or didn’t last I checked.
Title: Re: Allow specific external site to load forum in iframe
Post by: spiros on April 08, 2019, 11:52:12 AM
It did not work at all. Apparently "X-Frame-Options" has been replaced by "Content-Security-Policy":

https://content-security-policy.com/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

which allows multiple values. I am trying something like:

Code: [Select]
header('Content-Security-Policy "frame-ancestors *.magicsearch.org/ 'self'");
Or

Code: [Select]
header('Content-Security-Policy: frame-ancestors *.magicsearch.org/ *.translatum.gr/);
But they both result in HTTP ERROR 500.
Title: Re: Allow specific external site to load forum in iframe
Post by: Arantor on April 08, 2019, 11:59:27 AM
You have mismatched quotes, but typing quotes on iPad is hard right now...
Title: Re: Allow specific external site to load forum in iframe
Post by: Illori on April 08, 2019, 12:07:28 PM
Code: [Select]
header('Content-Security-Policy "frame-ancestors *.magicsearch.org/" self');I believe the above code has the corrected quotes.
Title: Re: Allow specific external site to load forum in iframe
Post by: spiros on April 08, 2019, 12:20:28 PM
I tried the one below, and apparently it works in third site and self site (translatum). The only strange issue is that it does not load the iframe on third site using Chrome proper (and checking source it reads "your browser does not support iframes"), but it loads it in an incognito window.

Code: [Select]
header('Content-Security-Policy: frame-ancestors http://magicsearch.org https://www.translatum.gr');
Edit: found the culprit, it was the Privacy Badger extension