Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2021-07-18 08:25:24

mrg
Member
Registered: 2021-07-17
Posts: 8

Failed to embed my forum on my domain from my subdomain by iframe

Hi, I try to embed my forum to my domain from my subdomain using an iframe. I have try to set my .htaccess with this CSP:

Header add Content-Security-Policy "default-src 'self' domain.com ;"

and set my header to:

$frame_options = defined('FORUM_FRAME_OPTIONS') ? FORUM_FRAME_OPTIONS : 'ALLOW FROM domain.com';
header('X-Frame-Options: '.$frame_options);

but I get this following error:

Invalid 'X-Frame-Options' header encountered when loading 'https://sub.domain.com/': 'ALLOW FROM domain.com' is not a recognized directive. The header will be ignored.
Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self' *.domain.com". Either the 'unsafe-inline' keyword, a hash ('sha256-1YPlphaFFveAOvBhnUwFR8Pgt1M9OhxjREvzKTqqPY4='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' *.domain.com". Either the 'unsafe-inline' keyword, a hash ('sha256-DQP2kZ1SYdiasEysgY5eykvT7nTl6iQ/mgxl8C3Ds2M='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
jquery-1.10.2.min.js:5 Uncaught DOMException: Blocked a frame with origin "https://www.domain.com" from accessing a cross-origin frame.

Can anybody help me solved this error? Big thanks for your attention. Thanks.

Offline

#2 2021-07-18 09:14:52

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 1,507
Website

Re: Failed to embed my forum on my domain from my subdomain by iframe

'ALLOW FROM domain.com' is not a recognized directive.

ALLOW-FROM?
https://tools.ietf.org/id/draft-ietf-we … tion.2.2.1

Refused to apply inline style
Refused to execute inline script

You need to resolve inline scripts and styles. A good security policy is very difficult to set for FluxBB.
https://fluxbb.org/forums/viewtopic.php?id=9832

P.S. And you do not need to delete the themes you have created tongue

Offline

#3 2021-07-18 11:39:57

mrg
Member
Registered: 2021-07-17
Posts: 8

Re: Failed to embed my forum on my domain from my subdomain by iframe

ups, little typo I mean ALLOW-FROM.
So, what should I do to make the iframe work for my subdomain forum?
Do you have any step by step tutorial for me?

Offline

#4 2021-07-18 12:28:39

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 1,507
Website

Re: Failed to embed my forum on my domain from my subdomain by iframe

1. for X-Frame-Options in config.php add code:

define('FORUM_FRAME_OPTIONS', 'ALLOW-FROM domain.com');

--> work: https://github.com/fluxbb/fluxbb/blob/m … er.php#L27

2. Add the command to the Content-Security-Policy header:

frame-ancestors 'self' domain.com subdomain.domain.com;

but probably only enough:

frame-ancestors domain.com;

Last edited by Visman (2021-07-18 12:35:43)

Offline

#5 2021-07-19 05:13:55

mrg
Member
Registered: 2021-07-17
Posts: 8

Re: Failed to embed my forum on my domain from my subdomain by iframe

Visman wrote:

1. for X-Frame-Options in config.php add code:

define('FORUM_FRAME_OPTIONS', 'ALLOW-FROM domain.com');

--> work:

2. Add the command to the Content-Security-Policy header:

frame-ancestors 'self' domain.com subdomain.domain.com;

but probably only enough:

frame-ancestors domain.com;

But this one still give me error like this:

Refused to frame 'https://subdomain.domain.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors domain.com subdomain.domain.com".

and

Failed to load resource: the server responded with a status of 500 ()

and

Uncaught DOMException: Blocked a frame with origin "https://www.domain.com" from accessing a cross-origin frame.

It makes me so confuse, now what I have to do mr Visman? sad

Offline

#6 2021-07-19 11:48:43

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 1,507
Website

Re: Failed to embed my forum on my domain from my subdomain by iframe

mrg wrote:

But this one still give me error like this:

Refused to frame 'https://subdomain.domain.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors domain.com subdomain.domain.com".

Test:

frame-ancestors https://domain.com https://subdomain.domain.com;
mrg wrote:

and

Failed to load resource: the server responded with a status of 500 ()

Open the server error log on your server and see what the server is swearing at.
P.S. There may be a bug or a forbidden command in the .htaccess.

Last edited by Visman (2021-07-19 11:49:37)

Offline

#7 2021-07-19 12:10:02

mrg
Member
Registered: 2021-07-17
Posts: 8

Re: Failed to embed my forum on my domain from my subdomain by iframe

I have correct it, here is my .htaccess:

Header add Content-Security-Policy "frame-ancestors https://domain.com https://subdomain.domain.com ;"

but still stuck with the same error sir.

Offline

#8 2021-07-19 13:09:19

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 1,507
Website

Re: Failed to embed my forum on my domain from my subdomain by iframe

Open the developer tools in your browser on the Network tab and check the headers given by the server for the site and the frame. They may not have the meanings you expect or are duplicated with different meanings.

P.S. Perhaps you have a problem with the site (and its headers), and not the forum, which is loaded in the frame.

Offline

#9 2021-07-20 00:45:55

mrg
Member
Registered: 2021-07-17
Posts: 8

Re: Failed to embed my forum on my domain from my subdomain by iframe

Visman wrote:

Open the developer tools in your browser on the Network tab and check the headers given by the server for the site and the frame. They may not have the meanings you expect or are duplicated with different meanings.

P.S. Perhaps you have a problem with the site (and its headers), and not the forum, which is loaded in the frame.

Yes you're right, I think the problem is the headers of my site.
here is the response headers from my site:

HTTP/2 200 OK
server: nginx
date: Tue, 20 Jul 2021 00:18:02 GMT
content-type: text/html; charset=utf-8
x-powered-by: PHP/7.2.24
p3p: CP="CUR ADM"
expires: Thu, 21 Jul 1977 07:30:00 GMT
cache-control: post-check=0, pre-check=0
pragma: no-cache
x-frame-options: SAMEORIGIN
content-encoding: gzip
vary: Accept-Encoding
last-modified: Tue, 20 Jul 2021 00:18:01 GMT
cache-control: no-transform
x-powered-by: PleskLin
X-Firefox-Spdy: h2

iframe:

HTTP/2 200 OK
server: nginx
date: Tue, 20 Jul 2021 00:14:14 GMT
content-type: text/html; charset=utf-8
x-powered-by: PHP/7.2.24
expires: Thu, 21 Jul 1977 07:30:00 GMT
cache-control: post-check=0, pre-check=0
pragma: no-cache
x-frame-options: ALLOW-FROM suaraguru.com
content-encoding: gzip
vary: Accept-Encoding
last-modified: Tue, 20 Jul 2021 00:14:14 GMT
content-security-policy: frame-ancestors suaraguru.com cs.suaraguru.com ;
x-powered-by: PleskLin
X-Firefox-Spdy: h2

so, what next I need to add or modify to embed my forum?

Last edited by mrg (2021-07-20 23:51:38)

Offline

#10 2021-07-20 11:07:08

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 1,507
Website

Re: Failed to embed my forum on my domain from my subdomain by iframe

For iframe
1. delete x-frame-options header;
2. and repalce

content-security-policy: frame-ancestors suaraguru.com cs.suaraguru.com ;

to

content-security-policy: frame-ancestors https://*.suaraguru.com;

P.S. Delete set-cookie:... from your post and change your password on the site if it was you as a user/admin.

Offline

#11 2021-07-21 04:11:44

mrg
Member
Registered: 2021-07-17
Posts: 8

Re: Failed to embed my forum on my domain from my subdomain by iframe

Visman wrote:

For iframe
1. delete x-frame-options header;
2. and repalce

content-security-policy: frame-ancestors suaraguru.com cs.suaraguru.com ;

to

content-security-policy: frame-ancestors https://*.suaraguru.com;

P.S. Delete set-cookie:... from your post and change your password on the site if it was you as a user/admin.

WOW, it works ...
Thanks for your kindess mr Visman...

Offline

Board footer

Powered by FluxBB