Website now prevents embedding via iframe

About this bulletin board and the Pale Moon website

Moderators: Indalecio, satrow

CraigPD
Fanatic
Fanatic
Posts: 220
Joined: Tue Jan 01, 2013 7:03 pm
Location: Mexico

Website now prevents embedding via iframe

Postby CraigPD » Sat Jul 15, 2017 2:26 pm

Was something changed on the Pale Moon forum website beginning around 12:00 UTC Friday that now prevents using the website view mode in Netvibes, which now indicates it prevents embedding via iframe per attached ss? Choosing "reader view" vs. "web site view" renders unstyled text content of individual posts without thread continuity of viewing earlier or later posts and excludes any inline images, so it is much less efficient and visually pleasing in this case.

PMfourmNetVibesWebSiteView.png
Netvibes Reader Mode

I've never had this problem in 4+ years prior to yesterday and whatever was changed also affects other browsers on both Win 7 and Linux. Any ideas on how to resolve (revert) this, MC?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 19456
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Website now prevents embedding via iframe

Postby Moonchild » Sun Jul 16, 2017 8:29 am

Yes, something was indeed changed.
Framing the Pale Moon forum is no longer allowed. This was changed on purpose to prevent clickjacking and similar attacks.

I can see if it's possible to allow netvibes' reader as an exception, but no promises.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.
Image

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 19456
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Website now prevents embedding via iframe

Postby Moonchild » Sun Jul 16, 2017 9:16 am

I've added a CSP directive that should allow netvibes. Unfortunately CSP is very annoying to implement on a forum with lots of external and internal content intermixed, but this should work.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.
Image

CraigPD
Fanatic
Fanatic
Posts: 220
Joined: Tue Jan 01, 2013 7:03 pm
Location: Mexico

Re: Website now prevents embedding via iframe

Postby CraigPD » Sun Jul 16, 2017 4:24 pm

Unfortunately it hasn't made any difference. Is there a setting I can change regarding OCSP certificate validation or elsewhere? Or, is there another feed reader you might suggest that isn't adversely affected by this additional defense? I've never experienced anything adverse security-wise (if that is the attack vector it aims to prevent) after years of usage. In less than a day I already miss the convenience, not to mention a general resistance to change that diminishes outcome.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 19456
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Website now prevents embedding via iframe

Postby Moonchild » Mon Jul 17, 2017 8:07 pm

OCSP != CSP

They are completely different things.

Unfortunately I don't know how netvibes tries to request the page (from what domain) so that makes it impossible to get the correct CSP policy in place.
It's also possible netvibes only checks the X-Frame-Options header and refuses to collect data if it's set restrictive (ignoring CSP in that case).
I've removed the CSP policy again since it's not working, but I do insist on preventing the forum from being framed inside other websites.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.
Image


Return to “Forum and website”

Who is online

Users browsing this forum: No registered users and 3 guests