How could I enable access to my site from any iframe including from a local html file?

Question

How could I enable access to my site from any iframe including from a local html file?

critical58 opened this issue a year ago · comments

For instance, would it be possible to allow anyone to make an html file and run it locally and use my site through an iframe on that file, as this currently works without attempt to solve the issue apart from that I am unable to use response.redirect(). Thanks in advance!

Evan Hahn · Answer 1 · Thu Apr 20 2023 02:04:28 GMT+0800 (China Standard Time)

By default, Helmet prevents others from putting your pages in iframes.

You can fix this by (1) removing the X-Frame-Options header (2) removing the frame-ancestors directive from the Content-Security-Policy middleware.

For example:

app.use(
  helmet({
    contentSecurityPolicy: {
      directives: {
        // ...
        "frame-ancestors": null,
      },
    },
    frameguard: false,
  })
);

Does this answer your question?

Jack Pike · Answer 2 · Thu Apr 20 2023 03:43:43 GMT+0800 (China Standard Time)

Hi,
Refused to frame 'https://example.website.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors *". Note that '*' matches only URLs with network schemes ('http', 'https', 'ws', 'wss'), or URLs whose scheme matches self's scheme. The scheme 'https:' must be added explicitly. is the error I am getting right now. Thank you for looking into it !

Evan Hahn · Answer 3 · Thu Apr 20 2023 04:43:56 GMT+0800 (China Standard Time)

It looks like the Content-Security-Policy header on https://example.website.com/ is blocking it. Can you configure that header?

Jack Pike · Answer 4 · Thu Apr 20 2023 05:34:59 GMT+0800 (China Standard Time)

Sorry I left some previous code in from earlier haha! This allows me to view the iframe but when response.redirect() is called the redirect doesnt happen and the page is refreshed. I am getting this in the console. Indicate whether a cookie is intended to be set in a cross-site context by specifying its SameSite attribute. When I submit the form outside of the iframe to call the redirect it works as intended so im unsure what the issue is. I am also not able to fetch from font awesome with this config. Thanks!

Evan Hahn · Answer 5 · Thu Apr 20 2023 07:04:48 GMT+0800 (China Standard Time)

Could you create a sample app that reproduces this problem? I'm not exactly sure what's going wrong and a sample app will help.

Jack Pike · Answer 6 · Thu Apr 20 2023 14:06:20 GMT+0800 (China Standard Time)

Hi, before I do this I was wondering how I could implement this Because a cookie’s SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being sent in a cross-site request. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery. Resolve this issue by updating the attributes of the cookie: Specify SameSite=None and Secure if the cookie should be sent in cross-site requests. This enables third-party use. Specify SameSite=Strict or SameSite=Lax if the cookie should not be sent in cross-site requests. as this sounds like the problem. Is this possible in helmet or is this an issue not to do with helmet? Many thanks!

Evan Hahn · Answer 7 · Fri Apr 21 2023 02:45:01 GMT+0800 (China Standard Time)

Not sure, but I suspect this is an issue with how cookies are set. Helmet doesn't do much with cookies, so I expect the problem is elsewhere.

Evan Hahn · Answer 8 · Wed May 03 2023 21:37:33 GMT+0800 (China Standard Time)

It's been two weeks since any activity on this issue, so I'm going to close. Let me know if that's wrong.