Page 1 of 1
Embedding AppGini into website
Posted: 2018-02-19 19:51
by ronwill
Has something changed with the latest version to affect above?
Since updating I've noticed that I now get message on instances where I've embed appgini into websites:
Quote
This content can’t be shown in a frame
There is supposed to be some content here, but the publisher doesn’t allow it to be displayed in a frame. This is to help protect the security of any information you might enter into this site.
UnQuote
Previously it used to run without issue or blocking etc. This only happens on projects that I re-publish in the newest version of AppGini.
Cheers,
Re: Embedding AppGini into website
Posted: 2018-02-20 00:42
by ronwill
It's ok I found it in datalist.php :
function set_headers(){
@header('Content-Type: text/html; charset=' . datalist_db_encoding);
@header('X-Frame-Options: SAMEORIGIN'); // prevent iframing by other sites to prevent clickjacking
}
Then read up about it here:
https://www.owasp.org/index.php/Clickja ... eat_Sheet
Ohh well better to be safer than sorry, damn they spoil everything!!! Glad to see AppGini are trying to protect us.
Cheers,
Re: Embedding AppGini into website
Posted: 2018-02-20 00:46
by peebee
I haven't actually tried V5.70 yet so I am guessing at this but.....
X-Frame-Options to prevent clickjacking must have been added to the new Appgini code output.
It is actually a good thing from a security point of view and one of the basics in penetration testing of databases.
You can read more here:
https://developer.mozilla.org/en-US/doc ... me-Options
or here:
https://www.owasp.org/index.php/Clickja ... heat_Sheet
If you really must use an iframe, I would search the code and look for "X-Frame-Options" (most likely in the @header options in incCommon.php or perhaps the header files?)
Change from X-Frame-Options: DENY to one of the other options to suit your situation.
If that's not the issue - then I'm not sure what else has been added....? I'll hopefully give V5.70 a go in the next few weeks.
Re: Embedding AppGini into website
Posted: 2018-02-20 00:47
by peebee
Wow, must have posted at the same time. Pity, should have waited and I could have saved myself some time typing the reply...
Re: Embedding AppGini into website
Posted: 2018-02-25 14:59
by ronwill
Lol, but still appreciate your taking the time to respond
Re: Embedding AppGini into website
Posted: 2018-02-28 11:49
by a.gneady
X-Frame-Options: SAMEORIGIN still allows you to embed your AppGini app in an iframe, but the containing page must be hosted on the same domain.