I use Drupal 7.33 and Image Field. I can't upload or delete images when JS is turned on in my browser. So it can't be a file-permission or php problem.
From my nginx-log-file:
[warn] 812#0: *7074 a client request body is buffered to a temporary
file /var/lib/nginx/body/0000000023, client: 174.61.242.24,
server: www.example.com, request: "POST /file/ajax/field_foto/und/0/form
Bw9u5Xhbowcr3qGBI4mPYtnNtC0AUHpyi2L_xesa9qY HTTP/1.1", host: "www.example.com",
referrer: "http://www.example.com/node/8/edit"
I also use the jQuery-Update Module with Version 1.5 for administrative sites.
Console-Error:
'Attr.nodeValue' is deprecated. Please use 'value' instead.
jquery-1.5.2.min.js:16
Refused to display 'http://www.example.com/file/ajax/field_foto/und/0/form-wNmrRuGxQgvWtN_glNEmnFI34Bm-m_sMC-iuGVn0Wmk'
in a frame because it set 'X-Frame-Options' to 'DENY'. about:blank:1
Uncaught SecurityError: Sandbox access violation: Blocked a frame at
"http://www.example.com" from accessing a frame at "null".
The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.
js_4QRrlXrX4C71F2nR2dAhf6BenDZnNcl6GHuDAJyosZw.js:101t
js_4QRrlXrX4C71F2nR2dAhf6BenDZnNcl6GHuDAJyosZw.js:101
With the default jQuery Version provided by the theme, I get this error (pop-up), when I try to delete the file:
An AJAX HTTP request terminated abnormally.
Debugging information follows.
Path: /file/ajax/field_foto/und/0/form-3_O5Rsz9PLD9NJCuwI157oZdHW1XJ8gOdTtJYQTT1oI
StatusText: n/a
ResponseText:
ReadyState: undefined
I've tested this with Chrome, Firefox and Safari.
The Status-Report from Drupal is OK.
Thanks for your help ;)
This small configuration should fix the issue:
Configuring Apache
To configure Apache to send the X-Frame-Options header for all pages, add this to your site's configuration:
Header always append X-Frame-Options SAMEORIGIN
Configuring nginx
To configure nginx to send the X-Frame-Options header, add this either to your http, server or location configuration:
add_header X-Frame-Options SAMEORIGIN;
This only seems to be happening to me on localhost. Overlay is off and the only error I see in Chrome dev tools console is "'Attr.nodeValue' is deprecated. Please use 'value' instead.".
Related
I am not sure about the exact status of this HTTP header. Some source - for instance Mozilla or Caniuse - clearly indicate that this header has been removed since the version 70 of Firefox, and has been replaced by Content-Security-Policy: frame-ancestors.
Despite of that, I can see that X-Frame-Options: ALLOW-FROM myServerURI is still working : using Firefox 75, I clearly see that setting this header or not server side has still an impact on an iFrame : the inner content is allowed or is blocked when the header is present or not.
Examining the server's response headers using Firefox F12 / Web developer tools, Network, Headers clearly shows the presence of this header and the impact on the result. In this situation, there is also a Content-Security-Policy header present, but without the frame-ancestors directive.
Something must be wrong with your test.
When I try using it in Firefox 75, I get an error in the console:
Invalid X-Frame-Options: “ALLOW-FROM http://www.example.com/” header from “http://localhost:7007/” loaded into “http://localhost:8080/”.
… and the content is displayed in the frame even though the iframe is hosted on http://localhost:8080/ and not http://www.example.com/
ALLOW-FROM value for X-Frame-Options header is obsolete now and not supported by new browsers.
Refer this link for valid possible values : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
django-cms==3.4.2
server=nginx
security=https://letsencrypt.org/
Since my web site is on https I'm unable to access django admin pages directly from my site (www.blabla.ab)
I can access them by changing the url while adding admin at the end or the url https://blabla.ab/fr/admin but not thought the admin cms dropdown menu (top left part of the window) or double click menu, I get the following error:
SecurityError : Failed to read the ‘contentDocument’ property from ‘HTMLIFrameElement’ : Blocked a frame
With origin “https” from accessing a cross-origin frame
or at form popup:
The form could not be loaded. Please check that the server is running.
It seems that Django CMS admin does not work with https because of cross-origin frame?
I've tried with
X_FRAME_OPTIONS = 'SAMEORIGIN'
X_FRAME_OPTIONS = 'ALLOW-FROM https://blabla.ab/'
with the django security middleware
MIDDLEWARE_CLASSES = (
'cms.middleware.utils.ApphookReloadMiddleware',
'django.middleware.security.SecurityMiddleware',
but it does'nt change anything. Any idea?
I've found the cause of the problem.
My vhost.conf file located in /etc/nginx/sites-available was pointing on a ssl params file include /etc/nginx/snippets/ssl-params.conf
and in that ssl-params.conf file I had the following line
add_header X-Frame-Options DENY;
I've changed that line to
add_header X-Frame-Options SAMEORIGIN;
The spring security (4.0.1.Release) set the HSTS host by default for https protocol and you can see Strict-Transport-Security: max-age=31536000 ; in the response header (I used Firefox>Web Development>Network ).
But when I look at firefox console I see an error which says: The site specified an invalid Strict-Transport-Security header.
I also set the hsts header manually in spring config as :
<headers>
<hsts />
</headers>
The same response header is generated and the FireFox show error again.
According to the https://developer.mozilla.org/docs/Security/HTTP_Strict_Transport_Security the header must be correct !
Any comments ?!
I found it was a bug in firefox as mentioned in The site specified an invalid Strict-Transport-Security header - firebug.
The self-signed certificate seems to generate this issue.
Also refer to: https://jira.spring.io/browse/SEC-3021
Try this, so I solved a similar problem:
You could enter about:config into the firefox address bar (confirm the info message in case it shows up) and search for the preference named security.enterprise_roots.enabled double-click it and change its value to true and restart firefox.
I have a site built in drupal 7 where I use an adding node form which uses ajax for form submission (I use the modal module or the ajax_entity module). In both case when I submit the code the node is not create and I receive the following error in a popup:
"An AJAX HTTP request terminated abnormally. Debugging information follows. Path: http://demo/q=modal/node/add/TestType/ajax/0" Status text:n/a ResponseText:Skip to main content"
I dont if this is important but the node form is divided in vertical tabs and it is opening in modal window. Also it includes textboxes,textareas and file upload field, but in this case still I havent used the file upload fields.
Thanks in advance
Most of the type Drupal Ajax Http error occurs when Drupal cant find Base URL.
So to resolve this issue follow below steps
Set $base_url variable in settings.php
If you have written some custom module, then make sure that whenever you to execute Ajax, check base_url variable have proper value. You can verify base_url value by printing this variable.
I recently had a similar issue and found that someone adjusted the X-Frame-Options in Apache. If you look in the browser's console log, I had this error displaying:
Refused to display 'https://www.example.com/file/ajax/field_heading_background_image/und/0/form-kfxURDN5ZPpN5pjFWajkPCDpMKJrrJthX9WVcY2K8' in a frame because it set 'X-Frame-Options' to 'DENY'.
Adding this to your .htaccess should fix it, but you can also adjust the server configuration:
Header always unset X-Frame-Options
Header set X-Frame-Options SAMEORIGIN
I have a program that uses an XMLHTTPRequest to gather contents from another web page.
Problem is, that web page has cloaking custom errors set-up (ie. /thisurl doesn't literally exist as a file on their web server, it is being generated by the custom 404 error file.), so its not returning the page it shows in the browser, instead its showing its default 404 error response from that custom error page, in my HTTPRequest response.
By using this website http://web-sniffer.net/ I have narrowed down what the problem may be, but I don't know how to fix it.
Web-sniffer has 3 different versions to submit the request:
HTTP version: HTTP/1.1
HTTP/1.0 (with Host header)
HTTP/1.0 (without Host header)`
When I use HTTP/1.1 or HTTP/1.0 (with Host header) I get the correct response (html) from the page. But when I use HTTP/1.0 (without Host header) it does not return the content, instead it returns a 404 error script (showing the custom error page).
So I have concluded that the problem may be due to the Host header not being present in the request.
But I am using MSXML2.XMLHTTP.3.0 and haven't been able to read the page using HTTP/1.1 or HTTP/1.0 (with Host header). The code looks like this:
Set objXML = Server.CreateObject("MSXML2.XMLHTTP.3.0")
objXML.Open "GET", URL, False
objXML.setRequestHeader "Host", MyDomain '< Doesnt work with or w/out this line
objXML.Send
Even after adding a Host header to the request, I still get the template of the 404 error returned by that custom error script in my response, the same as HTTP/1.0 (without Host Header) option on that web-sniffer site. This should be returning 200 OK like it does on the first two options on web-sniffer, and like in a web browser.
So I guess my question is, what is that website (web-sniffer.net) able to get the proper response with their first two HTTP version options, so I can emulate this in my app. I want to get the right page, but its only returning the 404 error from their 404 error template.
In response to an answerer, I have provided screen shots from 2 seperate cUrl requests below, one from each one of my servers.
I executed the same cURL command, same url (that points to a site on the main host), which is cURL -v -I www.site.com/cloakedfile . But looks like its not working on the main server, where it needs to be. It can't be a self-residing issue, because from secondary to secondary it works fine, these are both identical applications/sites, just different ip's/host names. It appears to be an internal issue, that may not be about the application side of things.
I dont have any idea bout MSXML2.XMLHTTP.3.0. But from you problem statement i understand that the issues is certainly due to some HTTP header field that is wrongly set or missed out in your request.
By default HTTP 1.1 clients set Host header. For example if you are connecting to google.com then the request will look like this
GET / HTTP/1.1
Host: google.com
The "Host" header should have the domain name of the server in which the requested resource is residing. Severs that has virtual hosting will get confused if "Host:" header is not present. This is what happens with groups.yahoo.com if you havent specified Host header
$ nc groups.yahoo.com 80
GET / HTTP/1.1
HTTP/1.1 400 Host Header Required
Date: Fri, 06 Dec 2013 05:40:26 GMT
Connection: close
Via: http/1.1 r08.ycpi.inc.yahoo.net (ApacheTrafficServer/4.0.2 [c s f ])
Server: ATS/4.0.2
Cache-Control: no-store
Content-Type: text/html; charset=utf-8
Content-Language: en
Content-Length: 447
And this should be the same issue you are facing with. And also make sure that you are sending the domain name of the server from which you are trying to fetch the resource. And the Host header should have a colon ":" to delimit the value like "Host: www.example.com".