HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


[SOLVED] iframe inside comcode no longer interactable

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#101433 (In Topic #19896)

Fan in action

I have SMF set up inside an iframe on a comcode page on my ocportal website. They share a database so there's only one login.

I recently updated both ocportal and SMF to the latest versions. When I did so, SMF stopped being interactable inside the iframe -- you can click on links but nothing happens. Outside of the iframe, SMF works fine.

I've tried this on the latest versions of Chrome, Opera, and Firefox. I've done the repair tool, I've scanned, everything says it's working, and the comcode page hasn't changed.

Anyone have any idea what would cause this?


Last edit: by wicked
Back to the top
 
Posted
Rating:
#101434
Avatar

Anything in the browser error console?

Immediate thoughts:
  • SMF making all links work via Javascript for some reason, but Javascript failing for some reason
  • CSP (Content Security Policy) implemented in SMF, dictating to not accept link clicks if loaded into an iframe
  • Some kind of HTML element overlayed over the frame contents (either inside the frame, or outside) blocking the ability to trigger a click on a link



Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#101441

Fan in action

thank you for your help.
I looked in the error console for Chrome and it says:
Refused to display '{SMF}' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

never heard of this before and google search isn't leading to helpful answers so far.


Last edit: by wicked
Back to the top
 
Posted
Rating:
#101445
Avatar

Yes, this is CSP, which is relatively new. It allows websites to define limitations on how they can be used in order to stop them being embedded in potentially malicious contexts.

You'll have to ask the SMF guys how to disable that / look in the PHP code for a line with "X-Frame-Options" in.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#101457

Fan in action

Chris Graham said

Yes, this is CSP, which is relatively new. It allows websites to define limitations on how they can be used in order to stop them being embedded in potentially malicious contexts.

You'll have to ask the SMF guys how to disable that / look in the PHP code for a line with "X-Frame-Options" in.
Thank you for your reply. Yes it was a security feature they added in their latest update to prevent "clickjacking".

I tried asking the SMF people and the only replies I got were to not use iframes and to use their portal; which wasn't really helpful. I had already tried using their portal before and didn't like any of it.

I did end up finding the answer though.

In case anyone else runs into this problem and finds this thread, you need to edit your forum's index.php to comment out or remove this:

Code

header('X-Frame-Options: SAMEORIGIN');

While you're in there you'll see a comment saying it will be configurable, but right now it's not configurable. Perhaps in the next update.
Back to the top
 
Posted
Rating:
#110225

Non-joined user

Wicked… I <3 you

Really thx for this info… is UBER useful. Thx">
Back to the top
 
There are too many online users to list.
Control functions:

Quick reply   Contract

Your name:
Your message: