I am getting Error as below :
This content cannot be displayed in a frame
To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame.
What you can try:
Open this content in a new window
& the content opens up in another tab. i want to load the page in the same tab as opening not instead of directing to other page.One thing I found is, urls of both the pages are quite different.
1st page - https://xxxxxxxxxxxxxxxxxxxxxx:23000/cddtweb/DDSMain.jsp
2nd page - https://xxxxxxxxxxxxxxxxxxxxxx:23000/cddtweb/DDSEntitlements.jsp
Could i get some help here to solve this issue please.
What you describe is probably caused by a security feature called X-Frame-Options implemented on the server of the frame content provider to protect from clickjacking.
As stated in the first link, this feature is supported by all major browsers. If you don't have access to the application which generated the frame content, there is nothing you can do about it (to my best knowledge).
Depending on your use-case you might be able to fetch the frame content, tweak it and then output it directly into your page without <iframe/>. This method is more described in an article by Crhis Duell (although for PHP, but you should get the point).
If you have access to the application that generates the frame content, you need to set X-Frame-Options HTTP header with a proper value (e.g. X-Frame-Options: SAMEORIGIN if the frame uses the same domain).
If you want your app accessible in iframe of some other browser then you have to set Content-Security-Policy directive as frame-ancester and parent browser URL(for whitelisting)
Example: Content-Security-Policy: frame-ancestors https://example.com
in the response header you will see content-security-policy: frame-ancestors https://example.com https://example1.com
This works for most of the browsers except IE11. For IE11 you have to set X-Content-Security-Policy: parent url.
Example: x-content-security-policy: https://example.com https://example1.com
Related
I'm trying to open a URL in my application through the displayHelpResource(href) function.
But I'm being shown the following :
This content cannot be dispalyed in a frame
To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame.
I've understood that the site is blocking the Frame access. What can be done to open the desired URL using the displayHelpResource(href) function.
You can add noframes=true to the href you stop frames being used
http:xxxxx?noframes=true
The noframes=true text is removed from the href by the help system before it is actually used.
I am using jsp.
I have to provide security to the application from Cross Frame Scripting. I have to ensure that all pages that gather user information prior to and during authentication are not vulnerable. The pages must prevent being encapsulated within a frameset of an unauthorized site.
Need to know more how to prevent frames from becoming encapsulated.
I have already gone through the below link but couldn't find the appropriate solution.
"https://www.owasp.org/index.php/Cross_Frame_Scripting"
I'm expecting some demo project so that I can understand more about Cross Frame Scripting and how my application is safe from being encapsulated.
Use the X-Frame-Options header with value DENY, SAMEORIGIN or ALLOW-FROM uri in your HTTP response to prevent your website being loaded in a frame.
Another method is validating your url with the source url and reload the page with your url if any cross frame scripting find.
Refer below script to do it.
<script>
window.onload = function() {
if (window.location !== window.top.location) {
window.top.location = window.location;
}
}
</script>
The problem I'm having is the following:
I have an app with two separate modes: A WebView for browsing and a custom Canvas. The custom Canvas captures handwriting samples for language placement exams. Here's how it works. A user logs in to Moodle via the WebView. After they log in, they navigate to a Quiz inside Moodle. They click a link on one of the Quiz's questions and this launches an Intent which hides the WebView and shows the Canvas. The user then writes (using a stylus) on the Canvas. When a user is finished writing their essay (or whatever), they press a button that uploads an image file to Moodle. I am able to upload images to a point, it's getting them to show up in the HTML page that the user clicked the link in originally (see above) and to get Moodle to commit them to permanent storage that is the problem. Normally this is all accomplished through AJAX (really AJAJ since it's JavaScript and JSON) and when the user drops a file on this one component, the component refreshes and uploads the file.
Here is the problem: I need the WebView so that students can log in to Moodle through Shibboleth. But because the underlying JavaScript in the browser makes AJAX calls to the Moodle server and since the Java side of Android doesn't have access to the DOM, I have use the Apache HTTP components library to make some of the connections below basically to preserve the state of the HTML page in WebView.
In a desktop browser on, say, Windows, I use WebScarab to monitor the browser's requests and this is what I see: the browser uploads a file to Moodle via five successive calls to the following scripts:
POST https://[moodle website]/repository/repository_ajax.php [posts multipart form data]
POST https://[moodle website]/repository/draftfiles_ajax.php [posts some params]
GET https://[moodle website]/draftfile.php/[some_id]/user/draft/[some_id]/[somefilename.png] [returns an icon of the image for a filepicker from YUI]
POST https://[moodle website]/mod/quiz/processattempt.php [returns HTML page]
GET https://[moodle website]/mod/quiz/summary.php [returns HTML page]
Some of these scripts return, as you'd expect, JSON data since they're AJAX and not HTML. The final two calls (4 & 5) return HTML. Now, I can make all of those calls in succession in either the WebView or the Apache HTTP library, but if I do so with WebView, only JSON data is returned to the WebView in calls 1-3 (WebView treats the JSON data as a page and displays it wiping out whatever HTML page was displayed in it). If I capture and process the JSON data using the Apache HTTP library in Java, then the JavaScript components internal to the page do not get updated. If I split the calls so that I send only calls 4 & 5 to the WebView, the HTML merely returns WebView to the first question of the exam and Moodle acts as if I haven't uploaded anything.
I can verify that files are uploading if I manually refresh (press a link) the JavaScript UI elements in the page. I can't expect students to do this, though, because the link to do so is very tiny and it's not obvious that it does a refresh. I need a way to programmatically refresh this one element (it's part of YUI) or to get Android and the Java side to play more nicely with the JavaScript/DOM side.
My question is: does anyone know a way to 1) fire off a drag and drop event using YUI to an element inside an HTML page or 2) a way to consume the JSON data and pass it to an element inside the HTML page.
I'm banging my head against a wall trying to figure this out.
OK, so I figured out that: javascript:document.getElementsByClassName(\"[name of link here]\")[0].click() works in Chrome on the desktop but doesn't work if I pass it to WebView.loadURL(). I just need to be able to simulate that click event reliably in WebView. It appears not to support click(). Anyone have any ideas?
The winning code is:
el = document.getElementsByClassName("[some element]")[0];
var event = document.createEvent("MouseEvents");
event.initEvent("click", true, true);
el.dispatchEvent(event);
This selects the link at [some element] and thereby fires an AJAX request that refreshes the FilePicker. For those working with Moodle, I had to add the above code to the same quiz question that handles so it is invoked by putting that code in its own function and calling it with WebView.loadURL("javascript:myRefreshFunction()").
I'm developing with Liferay portal.
And now I'm facing a little problem:
I'm making site for some Company that has subsidiaries.
Then, I must cut out some parts(precisely header and footer)
of other site(sub. site) and put the body of page without'em in iframe of main site.
I was "googling", looking for something about Grabbers.
but I've found just about how to grab with PHP or Perl.
and here
It doesn't seem to be exact what I need.
You can try the WebProxy portlet for this.
As you'll have to modify the external content's body, you can't simply show it in an iframe, so this portlet might be what you need. It doesn't work with an iframe internally and you can replace some content on-the-fly.
I have developed a theme in liferay 6.1. I have a page named "localhost:8080/home" but now i want that on clicking this link of the page, it should be redirected to localhost:8080
Any suggestions are welcomed.
Thanks in Advance.
I think you are confused a little bit, so just some things you should know:
You can't (normally and without hacks) have a page named "localhost:8080". Every Page (or 'Layout' in Liferay) has a short name, that takes it's part of the url. This is often called "friendly url" but it's often confused with the "friendly url feature", which is a way to shorten your url request data.
So you're always going to have urls like 'localhost:8080/something'. The same holds for the 'home' page
You can partially shorten the Url by using 'virtual host'. It removes the part of the url before your page's name (like removing the web/guest or user/username ) suffix
You can use the 'friendly url' feature to shorten the part of the url that goes after the page's name, and contains request information like lifecycle state info or custom request parameters