Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"X-Frame-Options: ALLOW-FROM ..." prevents iframe from loading #1017

Closed
mykolaharmash opened this issue Jan 23, 2017 · 4 comments
Closed

"X-Frame-Options: ALLOW-FROM ..." prevents iframe from loading #1017

mykolaharmash opened this issue Jan 23, 2017 · 4 comments
Labels
STATE: Auto-locked Issues that were automatically locked by the Lock bot

Comments

@mykolaharmash
Copy link

From what I see ALLOW-FROM can be used in two different cases:

  1. To list specific origins where page can be loaded as an iframe
  2. To perform some authorization, based on the request headers.

And the second case seems to be broken as hammerhead sends origin of the application under test but ALLOW-FROM header is tested against test-server's hostname in the browser.

Example:

  1. Server example.com serves page and it has an authorization that this page can be rendered as an iframe only on subdomains *.example.com.
  2. Application is served under app.example.com and tries to request page to display it within iframe, Origin header in request is "Origin: http://app.example.com".
  3. Server looks for Origin header, it is a subdomain of example.com, so it copies Origin to X-Frame-Options header and sends "X-Frame-Options: ALLOW-FROM http://app.example.com"
  4. Browser checks for same-origin of current domain and ALLOW-FROM header, everything is ok — iframe is rendered.

But when the application is under test, 4th step is broken because current domain (which serves testing-server) does not pass same-origin policy.

The solution might be to send test-server's domain as Origin when requesting iframes.
Does it sound like an issue to you, guys?

More info:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://tools.ietf.org/html/rfc7034
@churkin
Copy link
Contributor

churkin commented Jan 25, 2017

Hi @nik-garmash,
Thank you that have done this work, but I need some time to investigate this issue. I'll do it in the near future.

miherlosev pushed a commit to miherlosev/testcafe-hammerhead that referenced this issue Jan 30, 2017
fix '"X-Frame-Options: ALLOW-FROM ..." prevents iframe from loading' (c…
dad40b2 
…lose DevExpress#1017)
@miherlosev
Copy link
Contributor

Yes, it is a bug.
I am fixing this in the linked pull request.
We can publish a new version if you need it.

@mykolaharmash
Copy link
Author

A new version would be great.
Thank you.

miherlosev pushed a commit that referenced this issue Mar 13, 2018
@Farfurix @miherlosev
fix 'Page without slash after location's host reloads if we set only …
7639504 
…hash' (close #1426) (#1514)

* i1426

* i1426

* Requested changes: rename ensureHostEndedTrailingSlash() to ensureOriginTrailingSlash(); rewrite urlUtils.getProxyUrl(ensureOriginTrailingSlash(url))

* Fix server test (Should procees "x-frame-options" header (GH-1017)), export TRAILING_SLASH_RE needed in this test, fix client location test

* Fix navigateTo(): leading slashes case

* Fix ensureOriginTrailingSlash(), code cleanup

* Add ensureOriginTrailingSlash test

* Fix location header, fix ensureOriginTrailingSlash test, add location header test, add location href test (wrapper)

* Add tests

* Requested changes

* Requested changes

* Requested changes
AndreyBelym pushed a commit to AndreyBelym/testcafe-hammerhead that referenced this issue Feb 28, 2019
@miherlosev @AndreyBelym
fix '"X-Frame-Options: ALLOW-FROM ..." prevents iframe from loading' (c…
0cdc1f3 
…lose DevExpress#1017) (DevExpress#1024)
AndreyBelym pushed a commit to AndreyBelym/testcafe-hammerhead that referenced this issue Feb 28, 2019
@Farfurix @AndreyBelym
fix 'Page without slash after location's host reloads if we set only …
db6500b 
…hash' (close DevExpress#1426) (DevExpress#1514)

* i1426

* i1426

* Requested changes: rename ensureHostEndedTrailingSlash() to ensureOriginTrailingSlash(); rewrite urlUtils.getProxyUrl(ensureOriginTrailingSlash(url))

* Fix server test (Should procees "x-frame-options" header (DevExpressGH-1017)), export TRAILING_SLASH_RE needed in this test, fix client location test

* Fix navigateTo(): leading slashes case

* Fix ensureOriginTrailingSlash(), code cleanup

* Add ensureOriginTrailingSlash test

* Fix location header, fix ensureOriginTrailingSlash test, add location header test, add location href test (wrapper)

* Add tests

* Requested changes

* Requested changes

* Requested changes
@lock
Copy link

lock bot commented Mar 28, 2019

This thread has been automatically locked since it is closed and there has not been any recent activity. Please open a new issue for related bugs or feature requests. We recommend you ask TestCafe API, usage and configuration inquiries on StackOverflow.

@lock lock bot added the STATE: Auto-locked Issues that were automatically locked by the Lock bot label Mar 28, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Mar 28, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
STATE: Auto-locked Issues that were automatically locked by the Lock bot
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mykolaharmash @miherlosev @churkin