Hardware: VPS bought online YunoHost version: 11.0.10 I have access to my server : Through SSH Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no
Description of my issue
Hi guys!
Hope you’re doing well. I’m trying to have an iframe display an html file from a file served by my Yunohost server and I get an error because X-FRAME-OPTIONS header is set to sameorgin. I can’t find where that header is defined in the nginx config file.
I tried just adding add_header Content-Security-Policy "frame-ancestors *"; to the domains nginx config file and I get it to display the iframe but I can’t do some javascript stuff on it to e.g. get the height of the content. I think the problem is that X-FRAME-OPTIONS is still sameorgin.
There is no reason you will be in doubt if the content policy is still set to same origin,
i am not expert in nginx i am struggling with it myself, but i am expert in apache, which to my believe it works with the same principle,
the main difference is the syntax in enginx looks like a json,
in a view of security to set content policy to allow frame option of any kind other than the server origin is a very bad idea, which will expose you to hundreds of online penetration tools what will load your content through proxy and from there to other scan abilities,
in general, content policy headers should always being checked with the browser developer tool,
i don’t know in firefox but in any of chromium based browser you can press the F12 button,
navigate to “Network” > chose any element you like, and then it will show you the content policy of that specific element / page global
what’s the reason you don’t get javascript to run, also that should be checked with the developer tools, open it and then you probably will get errors, so click on the red icon at the corner to get a detailed info about the errors,
This is the error I’m getting when trying to run javascript on the iframe element: Uncaught DOMException: Blocked a frame with origin "https://www.MYDOMAIN.com" from accessing a cross-origin frame.
I decided to avoid the iframe completely because I actually don’t have to use it. Now I’m just using javascript to fetch the content from the url and display in inside a div on the page and that avoids all of this cross-orgin stuff.
Thank you for pointing out other important headers. It’s going to be useful in the future.
