update to 1.2.16 and problem with same-origin

Started by Jimako, July 06, 2020, 02:34:12 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Jimako

July 06, 2020, 02:34:12 AM
Hello,
I noticed in changelog that there was this change:

Enforce same-origin iframe use only

And from controller.php I can see that there is some test rt parm and embed mode

I need to display a full product page inside an iframe (different domain).  How the URL should look to pass this test now?

Thank you




abolabo

#1
July 06, 2020, 07:03:04 AM
it's a security policy question.
We had add defense from clickjacking attack into core/engine/controller.php file to prevent exactly your case.
Somebody can cover checkout details fields by it's own js-script keylogger from parent frame. That's why we added this solution. To prevent theft.
That's why we recommends to use embed mode for including store into your existing site.

If you still prefer to use your own iframe you can to replace header call in the file core/engine/controller.php
Code Select
$this->response->addHeader('X-Frame-Options: SAMEORIGIN');
with your allowed domain name
Code Select
$this->response->addHeader('X-Frame-Options: ALLOW-FROM www.yourdomain.com');
Beware to overwriting this custom solution during future upgrade process
"No one is useless in this world who lightens the burdens of another."
― Charles Dickens

mariansparks

#2
August 05, 2020, 04:20:30 AM
Thanks for the info, much appreciated!
Print
Go Up Pages1
User actions

Forum Rules Code of conduct
AbanteCart.com 2010 -