Refused to display in a frame /ancestor violates

Question

We see the following in our network trace.

memberDocuments:1 Refused to display 'https://yyy.xxxx.org/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

Refused to frame 'https://yyyy.xxxx.org/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' https://*.xxxx.org".

Refused to 'https://yyyy.xxxx.org/' in a frame because it set 'X-Frame-Options' to 'sameorigin'

We also have a SSO framework/pingfederate which protects our content. And the Response header configuration for the Runtime Applications is set to have:

SAMEORIGIN --> --> name="exclude-patterns"> /idp/startSLO.ping;/sp/startSLO.ping;/idp/SLO.saml2;/sp/SLO.saml2;/idp/SLO.ping;/sp/SLO.ping;/idp/prp.wsf;/sp/prp.wsf;/idp/prp.ping;/sp/prp.ping </con:item> </con:map> --> <con:map name="Content-Security-Policy"> <con:item name="value">script-src 'unsafe-inline' 'unsafe-eval' 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; object-src 'self'; frame-ancestors 'self' https://.xxxx.org;</con:item> <con:item name="include-patterns"></con:item> </con:map>

How does one go about fixing it.

Answer 1

First off, there's relatively little reason for embedding an external login page in your application, especially in a different domain. There's no security "pros" for doing so, and lots of security "cons". I would suggest that you go and evaluate why you're wanting to embed it, and then research why you shouldn't (biggest reasons will exist within the OWASP Top 10).

Second, if you don't manage the identity provider, then you shouldn't try to embed the page in a different domain. They have set these values for a reason. In what world is it cool to try to do something that your partner that manages their identities has explicitly forbidden? Maybe you should ask them if they will allow you to embed the page?

Finally, if your Identity Provider agrees to allow you to embed the login page in a secondary domain, then there are several ways within PingFederate to achieve this, with varying methods based on the version of PingFederate in use. It can be achieved with editing the headers produced by PingFederate, it can be a virtual host option setting in PingFederate, etc. The PingFederate administrators can contact Ping if they need help configuring this.

Answer 2

Run a reverse proxy for the same domain and modify the x-frame-option header in your proxy level... And attach your proxy URL to your iFame Node js implementation can be achieved using https://www.npmjs.com/package/http-proxy you can also use simple nginx

Consider: https://xxxx.org/ is your main domain (Served via your node) https://yyy.org/ is the domain you are trying to load inside iFrame (External Domain)

Steps:

1. Observe all (includeing static and ajax resources) the URL patterns in https://yyy.org/ (say /paterny1/, /paterny2/ )
2. Implement reverse proxy for all those url patterns inside your node js
3. Attach /paterny1/resource1 instead of https://yyy.org/paterny1/resource1.
4. No need to change any header in proxy level, because for client browser both are main and iFrame serving from same domain.