Advertisement:

Author Topic: Allow specific external site to load forum in iframe  (Read 336 times)

Offline spiros

  • Language Moderator
  • SMF Hero
  • *
  • Posts: 1,732
  • Gender: Male
  • A different point of view
    • spiros.doikas on Facebook
    • doikas on LinkedIn
    • @greektranslator on Twitter
    • Greek Translation
Allow specific external site to load forum in iframe
« on: April 08, 2019, 10:12:39 AM »
How can I allow a specific external site to load the forum in an iframe?

Offline spiros

  • Language Moderator
  • SMF Hero
  • *
  • Posts: 1,732
  • Gender: Male
  • A different point of view
    • spiros.doikas on Facebook
    • doikas on LinkedIn
    • @greektranslator on Twitter
    • Greek Translation
Re: Allow specific external site to load forum in iframe
« Reply #1 on: April 08, 2019, 11:21:28 AM »
I.e. add in index.php the second line?

Code: [Select]
header('X-Frame-Options: SAMEORIGIN');
header('X-Frame-Options: allow-from http://otherdomain.org/');

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 70,993
    • StoryBB/StoryBB on GitHub
Re: Allow specific external site to load forum in iframe
« Reply #2 on: April 08, 2019, 11:29:42 AM »
The second line replaces the first (a header can only exist once) but not all browsers respect that setting, or didn’t last I checked.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline spiros

  • Language Moderator
  • SMF Hero
  • *
  • Posts: 1,732
  • Gender: Male
  • A different point of view
    • spiros.doikas on Facebook
    • doikas on LinkedIn
    • @greektranslator on Twitter
    • Greek Translation
Re: Allow specific external site to load forum in iframe
« Reply #3 on: April 08, 2019, 11:52:12 AM »
It did not work at all. Apparently "X-Frame-Options" has been replaced by "Content-Security-Policy":

https://content-security-policy.com/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

which allows multiple values. I am trying something like:

Code: [Select]
header('Content-Security-Policy "frame-ancestors *.magicsearch.org/ 'self'");
Or

Code: [Select]
header('Content-Security-Policy: frame-ancestors *.magicsearch.org/ *.translatum.gr/);
But they both result in HTTP ERROR 500.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 70,993
    • StoryBB/StoryBB on GitHub
Re: Allow specific external site to load forum in iframe
« Reply #4 on: April 08, 2019, 11:59:27 AM »
You have mismatched quotes, but typing quotes on iPad is hard right now...
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Illori

  • Project Manager
  • SMF Legend
  • *
  • Posts: 50,746
Re: Allow specific external site to load forum in iframe
« Reply #5 on: April 08, 2019, 12:07:28 PM »
Code: [Select]
header('Content-Security-Policy "frame-ancestors *.magicsearch.org/" self');I believe the above code has the corrected quotes.

Offline spiros

  • Language Moderator
  • SMF Hero
  • *
  • Posts: 1,732
  • Gender: Male
  • A different point of view
    • spiros.doikas on Facebook
    • doikas on LinkedIn
    • @greektranslator on Twitter
    • Greek Translation
Re: Allow specific external site to load forum in iframe
« Reply #6 on: April 08, 2019, 12:20:28 PM »
I tried the one below, and apparently it works in third site and self site (translatum). The only strange issue is that it does not load the iframe on third site using Chrome proper (and checking source it reads "your browser does not support iframes"), but it loads it in an incognito window.

Code: [Select]
header('Content-Security-Policy: frame-ancestors http://magicsearch.org https://www.translatum.gr');
Edit: found the culprit, it was the Privacy Badger extension