Tuesday, September 14, 2021

Allowing iframes from a shared hosting server

Shared Hosting Providers

Website security is a very important thing these days.  There are lots of reasons to refuse sites from embedding your site via iframe or embed tag.  However if you have or are purchasing a paid for services like an intranet and you don't want to re-write everything to work with that services JavaScript library and security policy, an embed or iframe may just be what you need to use.  

By default, most of the shared webhosts I've used allow configuration with a .htaccess file.  Now I do recommend going though and assessing what you need to setup for your site to get done what you need to get done security wise; but in this case I need to allow for iframes from an igloo intranet site.

Typically if you have experience in setting up something like apache, you would use the x-frame header to do this; however this has changed for modern browsers, and while you may still need to add the x-frame for some legacy browsers, I'm going to be focusing on edge, chrome and firefox.

On igloo I have a embed tag, with the source going to a website which I have on a shared host.  I have a sample that can be seen below.  By default the shared hosting provider refuses the iframe connection by default.

<embed type="text/html" src="https://websiteIcontrol.ca" width="500" height="200">

On your host, edit your .htaccess file and find your mod_headers.c by default it should be something link this below.

## Suppress mime type detection in browsers for unknown types
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>

We want to add the following (the one highlighted in green).

## Suppress mime type detection in browsers for unknown types
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
Header set Content-Security-Policy: frame-ancestors 'self' https://websiteIcontrol.ca
</IfModule>

Once you add that and save the .htaccess file and when you refresh you page on igloo your iframe/embed will show up in igloo. as shown below.

For more information please refer to the links below for more information about .htaccess, x-frames and content-security policy.

https://htaccessbook.com/

https://htaccessbook.com/important-security-headers/#xframe


How to migrate PFSense Over to KEA DHCP Server from ISC DHCP Server

I am a PFSENSE User and I manage PFSENSE for some other organizations and the time has come to make the switch for the DHCP Server over to K...