DOMException: Blocked a frame with origin "<my-domain>" from accessing a cross-origin frame

[phischepi]

Hi everyone,

We've recently installed a new instance of Kentico SP 12.0.48 in production. We have 2 sites (one MVC Site and one Admin site on 2 different domains). In the page builder, when we try to use the "Rich Text Editor" widget, we've faced CORS exceptions. We could partially manage it by using the "CMSUrlHost" settings by now we are stuck with the following exception:

Uncaught DOMException: Blocked a frame with origin "" from accessing a cross-origin frame.

Has someone already face that problem? Do you have any idea how to solve it?

P.S. we try the X-Frame-Options which is no more supported by modern browser

[LadislavMargai]

Hi Julien,

Are the other page builder features working in your project (widgets, inline editors, etc..)? Does the MVC site & Admin site share the same domain or are you using separate domains? Is the Kentico running behind a proxy server?

After applying the 12.0.48 Hotfix, have you upgraded your MVC Kentico NuGet packages to version 12.0.48 as well?

[phischepi]

Hi Ladislav,

Our custom widgets work well but the two of this repo are not:

• video: print us "registration of ... failed"
• richt text editor: do not load at all

As said, we have two separate domains: www.domain.net and admin.domain.net.

And yes, we have upgraded both Kentico and nugets up to the version 12,0,48 (there is no warning in KIM ;) )

[LadislavMargai]

Okay then let's start with the video widget: Is there any error in browser console or in the event log (Event log application)?

and regarding Rich Text Editor: What is the URL of the page in an iframe which is browser refusing to load (due to cross-origin request)? What are the response headers of this page? (You can omit sensitive data).

[phischepi]

Can we focus on the RTE? :) it is our main blocking point for the moment.

The main URL is: https://admin.domain.net/Admin/cmsadministration.aspx#95a82f36-9c40-45f0-86f1-39aa44db9a77

The URL of the iframe (from the page builder) is the following: https://www.domain.net/cmsctx/pv/administrator/culture/en-US/wg/20f0bfe0-462f-4793-940e-71989941c9a4/readonly/0/pts/637106468108611823/ea/1/h/61ee323ae5c2bb3a9d1460a6f17d1502bde5f0de297850127d826c01bb048c5c/-/en-us/test?instance=3da385e4-efec-4e8a-9475-f7c2416bb3e3&uh=5bae2c2d8f5b564970ef23377a5af0c8704cac02a37874058a2b15bb29263345&editmode=1&administrationUrl=https%3A%2F%2Fadmin.domain.net%2F

The request is the following: https://www.domain.net/cmsctx/pv/administrator/culture/en-US/wg/20f0bfe0-462f-4793-940e-71989941c9a4/readonly/0/pts/637106471144908727/ea/1/h/57f569bd4f56f83c3e16b4f7ccfa4136171260fe1bf4a63010ecd43b78b203fe/-/kentico/bundles/pageComponents/admin/scripts?v=xGajw9hCqtSh5kJbx-7zCvpAAO9Pl8S5lzKFQx4bfpc1&uh=a8d4eb88149127c958140e253d782827fbc4d201acbcdb8d1717bf3de4c89d46&administrationurl=https%3A%2F%2Fadmin-qa.upu.int%2F The response contains all the scripts for the widgets and in this script, the exception is thrown by the froala editor at this place:

main.js l. 27161 p. 59854 [...]return window.parent.document.querySelector[...]

[petrinecp]

Looks like this call was added in Froala 3.0.6, could you try downgrading the froala-editor npm dependency to "froala-editor": "3.0.5" (without ^) in package.json, install the packages and build the scripts with this downgraded version of the froala editor?

[petrinecp]

Also try locating the request to your test page in DevTools and make sure the Content-Security-Policy header is set to frame-ancestors with your domains listed

[phischepi]

Ok we will try to downgrade the editor.

Otherwise, the content-security-policy looks good:

[phischepi]

Hello,

The downgrade solves the problem with the blocked frame but now there is another one :(. It seems that the licence is not found in the bundle:

If I look into the network exchange I can see that the editor tries to check the licence without success:

EDIT: we are using the latest version: 12.0.49

[phischepi]

Futher investigation, we just found out that the licence is not included in the response when getting the instance of the RTE:

Response: <div data-inline-editor="Kentico.InlineEditor.RichText" data-property-name="content"><div class="ktc-rich-text-wrapper" data-get-link-metadata-endpoint-url="/cmsctx/pv/administrator/culture/en-US/wg/50f5c4c4-8080-485c-a84d-9defa32e4508/readonly/0/pts/637109217741452983/ea/1/h/dc5eacbe366cb17660c7158f9064cd81e4770b9fef924fc475658483853b443a/-/kentico.pagebuilder/widgets/en-us/kentico.widget.richtext/getlinkmetadata?editmode=1&amp;instance=b8764103-81d4-4d35-98b3-4c2da382562b&amp;uh=1ac7c03e04e6b1f2d6493e4e88374e2476e0df1886b749fc7e2dd1a9861e4d64&amp;administrationurl=https%3A%2F%2Fadmin.domain.net%2F" data-rich-text-editor-license=""></div></div> The faulting part is the: data-rich-text-editor-license=""

We install 2 identical environments (both with 2 domains). On ours, there is no error but on the one of our customer, the key is not provided. Is there special conditions to retrieve the licence key?

[LadislavMargai]

Futher investigation, we just found out that the licence is not included in the response...

The Froala license comes with 12.0.43 Hotfix. Could you please run this query against your database?

SELECT [KeyName], [KeyValue]
  FROM [CMS_SettingsKey]
  WHERE [KeyName] = 'CMSHotfixVersion' OR [KeyName] = 'CMSHotfixDataVersion'

Could you check if both values are greater or equal to 43 in both environments?

[phischepi]

Thank for the hint, the entry was missing so it solves the second problem :)

[LadislavMargai]

No problem, is there any other issue regarding the Rich Text Editor or Video widget?

[phischepi]

No not with the downgraded version of Froala. But the "DOMException: Blocked a frame with origin" remains with current version ... wait'n'see for the next version

[LadislavMargai]

Hi @phischepi,

We have recently released a new version of the RichText Editor. Could you install it and check if you can still reproduce this issue?

Install-Package Kentico.EMS12.MvcComponents.Widget.RichText -Version 1.2.0

[LadislavMargai]

Hi @phischepi,

We haven't heard from you in a while, so we are closing this issue for now. Feel free to reopen this issue if the answer above won't help you.