Bypass CSP directive frame-ancestors for iframes

nwjs / nw.js

Call all Node.js modules directly from DOM/WebWorker and enable a new way of writing applications with all Web technologies.

https://nwjs.io

MIT License

40.41k stars 3.88k forks source link

Bypass CSP directive frame-ancestors for iframes #2967

Open dqbd opened 9 years ago

dqbd commented 9 years ago

There are some webpages, which I can't load into an iframe, because of a Content Security Directive in HTTP header. It should probably load, as there is a way, how to bypass X-Frame-Options: #461

Refused to display '...' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'deny'

nwfaketop and node-remote don't work as expected.

rogerwang commented 9 years ago

could you please provide a case?

dqbd commented 9 years ago

Tested with 0.12-alpha1. The URL I'm using is http://duong.cz/nw.php, which has a CSP header with Content-Security-Policy: frame-ancestors 'self'. The output should be a "Hello World" message.

package.json

{
    "main": "index.html",
    "name": "testcase",
    "node-remote": "duong.cz"
}

index.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Document</title>
</head>
<body>
    <iframe src="http://duong.cz/nw.php" frameborder="0" nwfaketop nwdisable></iframe>
</body>
</html>

The error message: Refused to display 'http://duong.cz/nw.php' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

nw.php

<?php
    header("Content-Security-Policy: frame-ancestors 'self';"); 
    echo "Hello World!";
?>

dqbd commented 9 years ago

Fixed in the latest build. Thank you :smile:

dqbd commented 9 years ago

@rogerwang It seems like, that in the latest version (v0.13-alpha2) this doesn't work anymore (same error etc).

Had to change the manifest.json though, as it would crash without specifying http:// in node-remote

{
    "main": "index.html",
    "name": "testcase",
    "node-remote": "http://duong.cz"
}

rogerwang commented 7 years ago

This should be already fixed since the 0.12 patch is included in 0.13 and later.

MistakingManx commented 1 year ago

I'm having this issue with Spotify.

ayushmanchhabra commented 1 year ago

Could you provide steps to reproduce?

MistakingManx commented 1 year ago

Uh.. I wish Github sent me notifications, now I have to try to remember.

MistakingManx commented 1 year ago

Basically, even when you set all the settings, from note-remote to that one that makes iframe think that it's a full window, Spotify refuses to connect.

On-top of this, using Spotify in nwjs causes it to skip forward all the songs after playing only a few seconds.

With protected content enabled*