Page 1 of 1

Website now prevents embedding via iframe

Posted: 2017-07-15, 14:26
by CraigPD
Was something changed on the Pale Moon forum website beginning around 12:00 UTC Friday that now prevents using the website view mode in Netvibes, which now indicates it prevents embedding via iframe per attached ss? Choosing "reader view" vs. "web site view" renders unstyled text content of individual posts without thread continuity of viewing earlier or later posts and excludes any inline images, so it is much less efficient and visually pleasing in this case.
Netvibes Reader Mode
Netvibes Reader Mode
I've never had this problem in 4+ years prior to yesterday and whatever was changed also affects other browsers on both Win 7 and Linux. Any ideas on how to resolve (revert) this, MC?

Re: Website now prevents embedding via iframe

Posted: 2017-07-16, 08:29
by Moonchild
Yes, something was indeed changed.
Framing the Pale Moon forum is no longer allowed. This was changed on purpose to prevent clickjacking and similar attacks.

I can see if it's possible to allow netvibes' reader as an exception, but no promises.

Re: Website now prevents embedding via iframe

Posted: 2017-07-16, 09:16
by Moonchild
I've added a CSP directive that should allow netvibes. Unfortunately CSP is very annoying to implement on a forum with lots of external and internal content intermixed, but this should work.

Re: Website now prevents embedding via iframe

Posted: 2017-07-16, 16:24
by CraigPD
Unfortunately it hasn't made any difference. Is there a setting I can change regarding OCSP certificate validation or elsewhere? Or, is there another feed reader you might suggest that isn't adversely affected by this additional defense? I've never experienced anything adverse security-wise (if that is the attack vector it aims to prevent) after years of usage. In less than a day I already miss the convenience, not to mention a general resistance to change that diminishes outcome.

Re: Website now prevents embedding via iframe

Posted: 2017-07-17, 20:07
by Moonchild
OCSP != CSP

They are completely different things.

Unfortunately I don't know how netvibes tries to request the page (from what domain) so that makes it impossible to get the correct CSP policy in place.
It's also possible netvibes only checks the X-Frame-Options header and refuses to collect data if it's set restrictive (ignoring CSP in that case).
I've removed the CSP policy again since it's not working, but I do insist on preventing the forum from being framed inside other websites.