#StackBounty: #html #http #firefox #nginx #iframe <iframe> and <object> are both blank, but only in Firefox

Bounty: 150

I am attempting to embed one site into another site. I control both servers, which I will refer to here as “site1.com” (the site in the browser) and “site2.com” (the site I am trying to embed).

HTML embed code

Attempt 1, using iframe tag:

    Unable to display--your browser does not support frames.

Attempt 2, using object tag:

Things I know are not the problem

Secure/insecure mismatch

I’ve read that Firefox will not allow an HTTP embed into an HTTPS page. Both sites are HTTPS, so there is no mismatch. The loaded resources (CSS, etc) are also https, from same origin, so there is no mixed-content problem.

I have tried setting security.mixed_content.block_active_content to false, in case I was mistaken about this, but the iframe was still blank.

Invalid or untrusted certificates

Both sites are using valid certificates, signed by a proper trusted authority, and are not expired. In fact, we are using a subdomain wildcard certificate, so they are both using the same certificate (they both are in the same subdomain).


The site that I am trying to embed has this response header:



The site that I am trying to embed has this response header (wrapped here for readability):

    frame-ancestors https://site1.com;
    default-src 'self';
    script-src https://site1.com 'self' 'unsafe-inline';
    style-src https://site1.com 'self' 'unsafe-inline'

Extra disclosure, possibly not needed – these headers are being generated by a Django application server, using this config and the “django-csp” module.

X_FRAME_OPTIONS = 'Allow-From site1.com'

CSP_FRAME_ANCESTORS = ('https://site1.com',)
CSP_STYLE_SRC = ('https://site1.com', "'self'", "'unsafe-inline'")
CSP_SCRIPT_SRC = ('https://site1.com', "'self'", "'unsafe-inline'")


My understanding is that CORS is only in play when the request contains an “Origin” header. That doesn’t seem to be happening here. I have also tried addressing CORS by using this header:

Access-Control-Allow-Origin: https://site1.com

But that appears to have no effect.

Ad blocker

I do not have an ad blocker in this Firefox install. I also removed all of my extensions and re-tested after a Firefox restart, the “blank iframe” behavior remains the same with no extensions installed at all.

Observed behavior

I have tested using the following browsers.

  • Google Chrome 58.0.3029.81 (64-bit) (macOS)
  • Safari 10.1 (macOS)
  • Firefox 53.0 (64-bit) (macOS)
  • Microsoft Edge 38.14393.0.0 (Windows 10)

Using Chrome, Safari, and Edge, the frame is shown like I expect – site2.com appears as a box inside of the site1.com page.

Using Firefox, I am shown an empty space of the size specified (600×600). If I used iframe, then there is a black border around it. If I used object, it’s just a blank area with no border.

The most interesting thing is that if I open the developer console and reload the page, I see the requests to fetch site1.com and its CSS and so on, but there are no requests made for site2.com. It isn’t that there is a problem showing site2.com, it is never requested at all.

Also, the developer console shows no errors or warnings about this. If there were an error condition or security exception preventing the loading of the second site, I would expect some sort of warning to be logged.

This has been driving me crazy for a few days. Any suggestions appreciated.

Get this bounty!!!

#StackBounty: #javascript #jquery #html How to use JQuery InputMask with HTML pattern

Bounty: 50

I have HTML input box for phone numbers.

I’m using InputMask to format input 860000000 in following:

8 600 00 000

I’m also using HTML pattern to check if numbers starts with 86 and there are total 9 digits, but with InputMask it stopped working, and can’t achieve It in any way:

<label for="phone" class="first-col">Mobile No.:</label>
<input type="text" id="phone" placeholder="8 600 00 000" required pattern="(86)d{7}" />

Have you any ideas?

There is JS Fiddle

Get this bounty!!!

#StackBounty: #html #ios #css z-index treated differently on iOS when setting -webkit-overflow-scrolling: touch

Bounty: 50

I’m seeing some interesting z-index behaviour on iOS.

My sample code can be viewed here: https://jsfiddle.net/59mo8s16/4/

I need the #sidebar to be displayed in front of the #slide-in-tip. This is the case when viewed on Chrome (PC and Android) and Firefox (PC). However, on iOS Safari and Chrome, #slide-in-tip appears in front of #sidebar.

I’ve realised that removing -webkit-overflow-scrolling: touch from the CSS makes it appear as intended across all platforms/browsers. However, I need this in order to provide momentum scrolling for the #container div on iOS. Without it, you get that scrolling that stops as soon as you stop swiping, which provides a terrible user experience.

Any ideas on how to resolve this one? Ideally I’d like a CSS-only solution. Any significant restructure of HTML will cause me some major pain at this point. The sample is a really stripped back version of an already-complete website.



div class=”snippet”>


div class=”snippet-code”>

body {
  height: 100%;
  margin: 0;
  -webkit-overflow-scrolling: touch;

#top-bar {
  top: 0;
  width: 100%;
  z-index: 200;
  background-color: green;
  height: 85px;
  position: absolute;

#sidebar {
  float: left;
  padding: 30px;
  background-color: pink;
  position: fixed;
  width: 310px;
  left: 0px;
  z-index: 150;
  top: 85px;
  bottom: 0px;
  padding: 0;
  padding-bottom: 50px;

#container2 {
  min-height: 100%;

#main {
  padding-right: 20px;
  height: 100%;
  margin: 0;
  margin-left: 10%;
  line-height: 40px;
  text-align: right;

#container {
  height: 100%;
  margin: 0;
  position: absolute;
  width: 100%;
  overflow-y: scroll;

#container2 {
  padding-top: 75px;

#slide-in-tip {
  position: fixed;
  bottom: 0;
  text-align: right;
  width: 100%;
  z-index: 140;
  background-color: blue;
  height: 200px;
long content - see js fiddle for actual long content
</div> </div>