I need to disable Chrome's iframe security for just one page so that I can access the contents of cross-domain websites.
I have complete control over this browser, this can use extensions.
I have been looking for a way to do this for the past hour or so. No luck.
You can try out this extension to bypass when development, this will allow you to resolve the issue with cross-domain issue:
https://chrome.google.com/webstore/detail/cross-domain-cors/mjhpgnbimicffchbodmgfnemoghjakai
Disclaim: I am the owner of this extension.
Related
I'm working with Firefox and I'm getting a lot of 'Content Security Policy' warnings in the the console,
including :
Content Security Policy: The page's settings blocked the loading of a resource at inline ("script-src").
and
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
I'm getting these warnings on every website, or almost every website, for example, I get a lot of warnings when I go to Gmail, and less here at StackOverflow,where some website show less, and some show more.
I have recently started working with webpack and some more nodejs tools, can this be the source of these warnings?
what can I do to prevent it?
is it a security issue?
thank you!:)
If I understand your question correctly, It appears you're approaching this as a user rather than as a developer.
From the user point of view:
what can I do to prevent it?
nothing, nor should you.
is it a security issue?
No. Quite the opposite, it is security at work protecting your browsing experience.
From the website developer point of view:
what can I do to prevent it?
Read up on the CSP rules put in place for your website(s) and adjust these rules as required to only allow what you need to alow for your website to work. This is a very broad topic.
I found the lack of clarification as to what assets are blocked and why, a major flaw with the Firefox console (V66) in that it didn't give enough specifity as to what CSP rules were crossed and what site assets were blocked. I found using Google Chrome console gave me this information and helped me to clarify my CSP to allow what needed to be allowed.
is it a security issue?
Not directly. This is security at work protecting the website visitor's browsing experience. Once the CSP is set up to allow the authorised parts of your website to work, the other parts that will be flagged by the CSP mechanism can be ignored (as insecure/unsafe things that should be aborted).
Apart from all the other typical security best practices I'm wondering about this, since I lately read some articles talking about how browser extensions can spy anything their user does. So that we shouldn't trust them.
Therefore in order to give users and additional layer of protection should I process all users credential and sensitive info inside an iframe inside my webpages?
Can content inside a sandboxed iframe be read/spied by browser
extensions?
Yes
Could I use iframe to secure user credentials?
Quick answer, no.
When a user installs a chrome extension the extension can do basically anything in the website to access the user credentials. The extension has also access to the iframes that the page generates.
My proposed solutions to overcome this two issues and keep the website feel "secure" are the following:
If the end goal is to secure the content that your user will put in the website, and by no mean you want to let the user put content if there are other kind of extensions running in the page, what you can put is some kind of pop up in the page blocking the access to the user until he is accessing the website without extensions.
Another solution you could propose to the user is to go incognito mode, as there are many options to disallow extensions in incognito without having to force him to uninstall all of the extensions that he has on his browser. This could also make less users leave your page, as if you force him to uninstall of the extensions on his browser it might make him leave your page if it's not a clear enough reason for him.
If you do know which are the extensions that shouldn't be blocked or prevented because they are harmful or known to have some kind of shady behaviour, what you can do is checkout if the user has them installed with this solution Checking if user has a certain extension installed and then print a message to him saying he can't continue until he uninstalls those extensions.
I create chrome extension. When user hits special shortcut this extension will add iframe to current active page in chrome. This iframe will load js from external resource (my site) and show some data. Is this allowed (to load external js inside iframe)?
I did not find any restrictions in chrome developers about that, but I worry if my extension will not pass check at chrome webstore.
You can insert any HTML code into the DOM, but if you're inserting an IFRAME, it will be limited by same-origin restrictions which will likely prevent the embedded Javascript from running unless both websites share a common domain and protocol.
See https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy for further details.
I have a Java web application in domain A (that we control). This application displays another website located in domain B (which we do not control) in an iframe. This external website was recently updated to require users to log on before they can see content. They provided us with a URL that will automatically log our users into their site. This URL works when we navigate directly to it in Internet Explorer (we get automatically logged in etc).
However, apparently there was an update to Internet Explorer so that cross domain communication is not allowed. So now when the login URL is displayed in the iframe, it does not successfully log on (I am guessing its being blocked from creating security cookies).
Also, if we browse to the URL directly and get the security in place, then any iframe elements of the site will not work (I am guessing it is being blocked from accessing security cookies).
Does anyone know of a work around for this? Changing the security level on Internet Explorer is not an option (it is controlled by our company's system administrator). Internet Explorer is also our company standard, so we cannot change that (even though it works fine in Firefox).
When you say "elements of the site will not work" what precisely does that mean?
"Cross-domain" interactions have always been restricted in all browsers. This is called "same-origin-policy" and it's the foundation of web security. The "update" to Internet Explorer you're referring to restricts IE such that a webpage on Domain A can no longer navigate a subframe that is inside a page from Domain B. That restriction has been present in IE for 7+ years and is in all browsers. This restriction is not causing your problem.
This most likely problem here is that the subframe fails to set a P3P header that would permit its cookies to be stored. There are perhaps 30 duplicates on that issue on StackOverflow.
To determine if this is what you're encountering, try this:
In IE, click Tools > Internet Options > Privacy tab.
Set the slider to Accept all
Clear your cookies
Restart the browser and retry the scenario.
If this change solves the problem, then the fix is easy: configure the page which is being framed to specify its cookie policy using a P3P response header.
If this doesn't solve the problem, please update the question with more information that would allow others to reproduce it (e.g. traffic logs, live site URL, etc).
It turns out that this was causes by the login site not being on the trusted sites list. Having security add it as a trusted site and pushing that to all company computers solved the issue.
I have few images on a web page which are fetched from HTTP server while whole web page is on HTTPS. So in Internet Explorer 7 and 8 I get this pop up:
This page contains both secure and non-secure items
Majority of users use Internet Explorer. Somehow they are getting worried about this pop-up. Even though I told some of the users about settings in IE, I dread telling everyone.
Does anyone know how I can disable this pop-up through JavaScript or any other way where the control will be in my hands?
You can't disable the popups. If you could, that's what the bad guys would do, and then there'd be no point to the security popup.
Move your images to your secure server, and the popups will go away because there's nothing being served unsecurly on a secure page.
No you cannot disable it. It is a security feature of the browser. It prevents possible cross site scripting XSS for secure sites.
Your best bet is to host all images, css, javascripts, etc from the secure server also.
Go to internet explorer-tools-security tab-custom level-scripting-active scripting-disable.
This should solve the problem