Website now prevents embedding via iframe

About this bulletin board and the Pale Moon website

Moderators: FranklinDM, Lootyhoof

CraigPD
Lunatic
Lunatic
Posts: 292
Joined: 2013-01-01, 19:03
Location: Mexico

Website now prevents embedding via iframe

Unread post by CraigPD » 2017-07-15, 14:26

Was something changed on the Pale Moon forum website beginning around 12:00 UTC Friday that now prevents using the website view mode in Netvibes, which now indicates it prevents embedding via iframe per attached ss? Choosing "reader view" vs. "web site view" renders unstyled text content of individual posts without thread continuity of viewing earlier or later posts and excludes any inline images, so it is much less efficient and visually pleasing in this case.
Netvibes Reader Mode
Netvibes Reader Mode
I've never had this problem in 4+ years prior to yesterday and whatever was changed also affects other browsers on both Win 7 and Linux. Any ideas on how to resolve (revert) this, MC?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Website now prevents embedding via iframe

Unread post by Moonchild » 2017-07-16, 08:29

Yes, something was indeed changed.
Framing the Pale Moon forum is no longer allowed. This was changed on purpose to prevent clickjacking and similar attacks.

I can see if it's possible to allow netvibes' reader as an exception, but no promises.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Website now prevents embedding via iframe

Unread post by Moonchild » 2017-07-16, 09:16

I've added a CSP directive that should allow netvibes. Unfortunately CSP is very annoying to implement on a forum with lots of external and internal content intermixed, but this should work.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

CraigPD
Lunatic
Lunatic
Posts: 292
Joined: 2013-01-01, 19:03
Location: Mexico

Re: Website now prevents embedding via iframe

Unread post by CraigPD » 2017-07-16, 16:24

Unfortunately it hasn't made any difference. Is there a setting I can change regarding OCSP certificate validation or elsewhere? Or, is there another feed reader you might suggest that isn't adversely affected by this additional defense? I've never experienced anything adverse security-wise (if that is the attack vector it aims to prevent) after years of usage. In less than a day I already miss the convenience, not to mention a general resistance to change that diminishes outcome.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35477
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Website now prevents embedding via iframe

Unread post by Moonchild » 2017-07-17, 20:07

OCSP != CSP

They are completely different things.

Unfortunately I don't know how netvibes tries to request the page (from what domain) so that makes it impossible to get the correct CSP policy in place.
It's also possible netvibes only checks the X-Frame-Options header and refuses to collect data if it's set restrictive (ignoring CSP in that case).
I've removed the CSP policy again since it's not working, but I do insist on preventing the forum from being framed inside other websites.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked