Clickjacking CSS protection hides content when site is embed inside an iframe, even if frame-ancestors is set

Open on Drupal.org →

Created on 14 January 2024, about 1 year ago

Problem/Motivation

I have a Drupal site with a URL that needs to be embedded in an external site. After configuring frame-ancestors correctly the site is still not properly displayed because the hijacking protection sets the site content as hidden using CSS with important.

Steps to reproduce

You need to have sites a and b, both of them in different domains. Using ddev for both works, with URLS a.ddev.site and b.ddev.site as example.

In site "a" configure seckit properly, with frame-ancestors like "'self' b.ddev.site". Make sure that Clickjacking -> Javascript-based protection is checked.
In site "b" configure seckit properly, to allow embedding urls from "a" as an iframe, with the frame-src adding a.ddev.site
In site "b" create an iframe pointing to an url of "a", like https://a.ddev.site/node/1. Navigate to the URL and see two things:
- An error in the browser console like the one described in this issue: https://www.drupal.org/project/seckit/issues/3400117 💬 Uncaught DOMException: Permission denied to access property "hostname" on cross-origin object Active
- That the iframe is loaded, but the content is hidden via CSS. You can inspect the body element of the iframe and check the styles.li

Proposed resolution

The solution that we proposed and works for us is injecting the whitelisted urls from frame-ancestors in the seckit.document_write.js to check url from the parent page with those, and in this case avoid adding the seckit.no_body.css file that hides the content.

🐛 Bug report

Status

Active

Version

2.0

Component

Code

Created by

🇪🇸Spain jsbalsera Córdoba, Spain

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Merge Requests

!20Clickjacking CSS protection hides content when site is embed inside an iframe, even if frame-ancestors is set
Open
🇪🇸Spain jsbalsera
updated 6 months ago

Comments & Activities

Issue created by @jsbalsera
Merge request !20Issue #3414591: Avoid clickjacking css protection to hide content when... → (Open) created by jsbalsera
Open in Jenkins → Open on Drupal.org →
Core: 10.2.1 + Environment: PHP 8.2 & MySQL 8
last update about 1 year ago
34 pass
Status changed to Needs review about 1 year ago11:33am 15 January 2024
Comment about 1 year ago →
🇪🇸Spain jsbalsera Córdoba, Spain
Issue was unassigned.
Comment about 1 year ago →
🇪🇸Spain jsbalsera Córdoba, Spain
Open in Jenkins → Open on Drupal.org →
Core: 10.2.1 + Environment: PHP 8.2 & MySQL 8
last update about 1 year ago
34 pass
Comment 6 months ago →
🇺🇸United States jds1 Hudson Valley, NY
jds1 → changed the visibility of the branch 3414591-clickjacking-css-protection to hidden.
Comment 6 months ago →
🇺🇸United States jds1 Hudson Valley, NY
jds1 → changed the visibility of the branch 3414591-clickjacking-css-protection to hidden.
Comment 6 months ago →
🇺🇸United States jds1 Hudson Valley, NY
jds1 → changed the visibility of the branch 3414591-clickjacking-css-protection to active.
Comment 6 months ago →
🇺🇸United States jds1 Hudson Valley, NY
Welp I tried to use the MR process but I cannot push to the seckit repro. Keeping things old school with this patch/rerolling for 2.0.3
Comment 6 months ago →
🇺🇸United States jds1 Hudson Valley, NY
jds1 → changed the visibility of the branch 3414591-2.0.3-reroll to hidden.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024