I am attempting to embed one site into another site. I control both servers, which I will refer to here as “site1.com” (the site in the browser) and “site2.com” (the site I am trying to embed).
HTML embed code
Attempt 1, using iframe tag:
Unable to display--your browser does not support frames.
Attempt 2, using object tag:
Things I know are not the problem
I’ve read that Firefox will not allow an HTTP embed into an HTTPS page. Both sites are HTTPS, so there is no mismatch. The loaded resources (CSS, etc) are also https, from same origin, so there is no mixed-content problem.
I have tried setting
false, in case I was mistaken about this, but the iframe was still blank.
Invalid or untrusted certificates
Both sites are using valid certificates, signed by a proper trusted authority, and are not expired. In fact, we are using a subdomain wildcard certificate, so they are both using the same certificate (they both are in the same subdomain).
The site that I am trying to embed has this response header:
X-Frame-Options: ALLOW-FROM SITE1.COM
The site that I am trying to embed has this response header (wrapped here for readability):
Content-Security-Policy: frame-ancestors https://site1.com; default-src 'self'; script-src https://site1.com 'self' 'unsafe-inline'; style-src https://site1.com 'self' 'unsafe-inline'
Extra disclosure, possibly not needed – these headers are being generated by a Django application server, using this config and the “django-csp” module.
X_FRAME_OPTIONS = 'Allow-From site1.com' CSP_FRAME_ANCESTORS = ('https://site1.com',) CSP_STYLE_SRC = ('https://site1.com', "'self'", "'unsafe-inline'") CSP_SCRIPT_SRC = ('https://site1.com', "'self'", "'unsafe-inline'")
My understanding is that CORS is only in play when the request contains an “Origin” header. That doesn’t seem to be happening here. I have also tried addressing CORS by using this header:
But that appears to have no effect.
I do not have an ad blocker in this Firefox install. I also removed all of my extensions and re-tested after a Firefox restart, the “blank iframe” behavior remains the same with no extensions installed at all.
I have tested using the following browsers.
- Google Chrome 58.0.3029.81 (64-bit) (macOS)
- Safari 10.1 (macOS)
- Firefox 53.0 (64-bit) (macOS)
- Microsoft Edge 38.14393.0.0 (Windows 10)
Using Chrome, Safari, and Edge, the frame is shown like I expect – site2.com appears as a box inside of the site1.com page.
Using Firefox, I am shown an empty space of the size specified (600×600). If I used iframe, then there is a black border around it. If I used object, it’s just a blank area with no border.
The most interesting thing is that if I open the developer console and reload the page, I see the requests to fetch site1.com and its CSS and so on, but there are no requests made for site2.com. It isn’t that there is a problem showing site2.com, it is never requested at all.
Also, the developer console shows no errors or warnings about this. If there were an error condition or security exception preventing the loading of the second site, I would expect some sort of warning to be logged.
This has been driving me crazy for a few days. Any suggestions appreciated.