update to 1.2.16 and problem with same-origin

[Jimako]

Hello,
I noticed in changelog that there was this change:

Enforce same-origin iframe use only

And from controller.php I can see that there is some test rt parm and embed mode

I need to display a full product page inside an iframe (different domain).  How the URL should look to pass this test now?

Thank you

[abolabo]

it's a security policy question.
We had add defense from clickjacking attack into core/engine/controller.php file to prevent exactly your case.
Somebody can cover checkout details fields by it's own js-script keylogger from parent frame. That's why we added this solution. To prevent theft.
That's why we recommends to use embed mode for including store into your existing site.

If you still prefer to use your own iframe you can to replace header call in the file core/engine/controller.php

Code Select Expand

$this->response->addHeader('X-Frame-Options: SAMEORIGIN');
with your allowed domain name

Code Select Expand

$this->response->addHeader('X-Frame-Options: ALLOW-FROM www.yourdomain.com');
Beware to overwriting this custom solution during future upgrade process

[mariansparks]

Thanks for the info, much appreciated!