update to 1.2.16 and problem with same-origin

Started by Jimako, July 06, 2020, 02:34:12 AM

Previous topic - Next topic

Jimako

Hello,
I noticed in changelog that there was this change:

Enforce same-origin iframe use only

And from controller.php I can see that there is some test rt parm and embed mode

I need to display a full product page inside an iframe (different domain).  How the URL should look to pass this test now?

Thank you





abolabo

it's a security policy question.
We had add defense from clickjacking attack into core/engine/controller.php file to prevent exactly your case.
Somebody can cover checkout details fields by it's own js-script keylogger from parent frame. That's why we added this solution. To prevent theft.
That's why we recommends to use embed mode for including store into your existing site.

If you still prefer to use your own iframe you can to replace header call in the file core/engine/controller.php
$this->response->addHeader('X-Frame-Options: SAMEORIGIN');
with your allowed domain name
$this->response->addHeader('X-Frame-Options: ALLOW-FROM www.yourdomain.com');
Beware to overwriting this custom solution during future upgrade process
"No one is useless in this world who lightens the burdens of another."
― Charles Dickens

mariansparks


Forum Rules Code of conduct
AbanteCart.com 2010 -