search

mdn / content

The content behind MDN Web Docs
https://developer.mozilla.org
Other
9.15k stars 22.47k forks source link

Issue with "<iframe>: The Inline Frame element": Security Issues prevent example from working #635

Closed edent closed 3 years ago

edent commented 3 years ago

MDN URL: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe

What information was incorrect, unhelpful, or incomplete?

The example doesn't work.

iFrame security failure

Firefox Can’t Open This Page To protect your security, mdn-samples.mozilla.org will not allow Firefox to display the page if another site has embedded it. To see this page, you need to open it in a new window.

Specific section or headline?

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#Examples

What did you expect to see?

The content of https://mdn-samples.mozilla.org/snippets/html/iframe-simple-contents.html should have been displayed in the iFrame.

Did you test this? If so, how?

Latest Firefox for Linux.

MDN Content page report details * Folder: `en-us/web/html/element/iframe` * MDN URL: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe * GitHub URL: https://github.com/mdn/content/blob/master/files/en-us/web/html/element/iframe/index.html * Report started: 2020-12-24T21:50:00.126Z
sideshowbarker commented 3 years ago

Thanks for reporting this. The cause is that the https://mdn-samples.mozilla.org/snippets/html/iframe-simple-contents.html frame gets nested in a https://yari-demos.prod.mdn.mozit.cloud/en-US/docs/Web/HTML/Element/iframe/_samples_/Example1 frame, but https://mdn-samples.mozilla.org/snippets/html/iframe-simple-contents.html has a CSP policy that only allows it to be framed by https://developer.mozilla.org, https://developer.allizom.org or https://mdn.mozillademos.org.

So the fix is to get the https://mdn-samples.mozilla.org CSP policy updated such that it allows framing by https://yari-demos.prod.mdn.mozit.cloud. I’ve raised https://github.com/mdn/yari/issues/2281 for that.

escattone commented 3 years ago

Thank you @edent for reporting this as well as @sideshowbarker for identifying the underlying issue! I'm sorry for the delay. I'm just getting to this now, after working my way through my inbox after the holidays.

I updated the frame-ancestors CSP within the mdn/samples-server repo, and @limed (from Mozilla IT) helped me push the new code to the server. This is resolved.