Author Topic: update to 1.2.16 and problem with same-origin  (Read 395 times)

Offline Jimako

  • Newbie
  • *
  • Posts: 4
  • Karma: +1/-0
    • View Profile
update to 1.2.16 and problem with same-origin
« on: July 06, 2020, 02:34:12 AM »
Hello,
I noticed in changelog that there was this change:

Enforce same-origin iframe use only

And from controller.php I can see that there is some test rt parm and embed mode

I need to display a full product page inside an iframe (different domain).  How the URL should look to pass this test now?

Thank you


 


Offline abolabo

  • core-developer
  • Administrator
  • Hero Member
  • *****
  • Posts: 1844
  • Karma: +277/-11
  • web for all, all for web!
    • View Profile
    • AbanteCart
Re: update to 1.2.16 and problem with same-origin
« Reply #1 on: July 06, 2020, 07:03:04 AM »
it's a security policy question.
We had add defense from clickjacking attack into core/engine/controller.php file to prevent exactly your case.
Somebody can cover checkout details fields by it's own js-script keylogger from parent frame. That's why we added this solution. To prevent theft.
That's why we recommends to use embed mode for including store into your existing site.

If you still prefer to use your own iframe you can to replace header call in the file core/engine/controller.php
Code: [Select]
$this->response->addHeader('X-Frame-Options: SAMEORIGIN');with your allowed domain name
Code: [Select]
$this->response->addHeader('X-Frame-Options: ALLOW-FROM www.yourdomain.com');Beware to overwriting this custom solution during future upgrade process
“No one is useless in this world who lightens the burdens of another.”
― Charles Dickens

Offline mariansparks

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: update to 1.2.16 and problem with same-origin
« Reply #2 on: August 05, 2020, 04:20:30 AM »
Thanks for the info, much appreciated!

 

Powered by SMFPacks Social Login Mod