Bug #105617
closed
Viewpage module does not show page in iFrame (not allowed to be displayed)
0%
Description
When trying to preview a page in the backend with "view" the page is not opened in the preview iFrame.
Although the page to be opened is from the same domain as the TYPO3 backend I get this behaviour.
I tried it with Firefox, Chrome and Opera. Always the same.
Is there a way to find out what is going on here?
Files
Updated by Garvin Hicking 4 months ago
- Status changed from New to Needs Feedback
Could you check the output in your browser's console, especially the error console plus the network console and the HTTP headers of the failing request?
(Could be related to CSP or htaccess settings or browser settings or possible intermediate proxies)
Updated by Michael Perlbach 4 months ago
I am not quite sure how to answer you.
What I found out is that although I make the following settings in htaccess
Header set Content-Security-Policy "frame-src 'self' https://mydomain.tld; frame-ancestors 'self' https://mydomain.tld;"
the directive "frame-ancestors" is set to "none" when the page is loaded in the view iFrame.
So it seems as if somewhere in TYPO3 the directive "frame-ancestors" seems to get overridden somehow. But I have no idea where to look.
Updated by Garvin Hicking 4 months ago
TYPO3 ships its own backend CSP headers. Can you please remove any custom CSP settings in your htacces/webserver config and see if that maybe causes the issue?
Updated by Michael Perlbach 4 months ago
· Edited
I added my own headers as a result of the problems I had. So removing them will not remedy the situation.
Somewehre in TYPO3 the directive "frame-ancestors" must set to "none" - and as it seems, setting it in .htaccess has no influence.
Updated by Garvin Hicking 4 months ago
You can (must) use the CSP API of TYPO3 so that you can modify the backends CSP rules properly. Adding them via htaccess is not a viable option.
Please see https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/ApiOverview/ContentSecurityPolicy/Index.html on how to achieve this.
If you can be more specific about why and for what you needed the custom CSP htaccess header maybe can help to tell how to do it with the API.
Updated by Michael Perlbach 4 months ago
Thanks for the hint.
I deactivated my .htaccess settings and tried to use the approach with EXT:my_extension/Configuration/ContentSecurityPolicies.php in my site package ("Policies for frontend and backend can be applied automatically by providing a Configuration/ContentSecurityPolicies.php file").
Unfortunately it does not work.
Although I set the directive
new Mutation(
MutationMode::Set,
Directive::FrameAncestors,
SourceKeyword::self,
)it has no effect. frame-ancestors is still set to 'none'.
Updated by Michael Perlbach 4 months ago
When I take a look into "TYPO3\CMS\Core\Security\ContentSecurityPolicy\Directive" I see that "FrameAncestors" does not seem to be part of the list of directives which can be mutated.
Is there a specific reason for this? And what can I do about it?
Updated by Garvin Hicking 4 months ago
Michael Perlbach wrote in #note-7:
When I take a look into "TYPO3\CMS\Core\Security\ContentSecurityPolicy\Directive" I see that "FrameAncestors" does not seem to be part of the list of directives which can be mutated.
Is there a specific reason for this? And what can I do about it?
You can see that there are multiple "ContentSecurityPolicies.php" files from TYPO3 system extensions, like "cms-frontend" and "cms-backend".
typo3/sysext/backend/Configuration/ContentSecurityPolicies.php sets this:
new Mutation(MutationMode::Extend, Directive::FrameSrc, SourceKeyword::self),
Your code above isn't the full code you use, could you please show that?
Also, you may want to check your "System > Configuration > Content Security Policy Mutations" list. This shows you which directives are inherited and configured exactly.
To have a normal TYPO3 preview working, the rule:
frame-src 'self' *.youtube-nocookie.com *.youtube.com *.vimeo.com;
ensures that my iframe backend preview properly works; a 'frame ancestors' setting might not even be needed at all?!
Updated by Michael Perlbach 4 months ago
Unfortunately setting "frame-src" to "self" or my tld does not help. This is how I set up my configuration (works with neither "set" nor "extend"):
<?php
declare(strict_types=1);
use TYPO3\CMS\Core\Security\ContentSecurityPolicy\Directive;
use TYPO3\CMS\Core\Security\ContentSecurityPolicy\Mutation;
use TYPO3\CMS\Core\Security\ContentSecurityPolicy\MutationCollection;
use TYPO3\CMS\Core\Security\ContentSecurityPolicy\MutationMode;
use TYPO3\CMS\Core\Security\ContentSecurityPolicy\Scope;
use TYPO3\CMS\Core\Security\ContentSecurityPolicy\SourceKeyword;
use TYPO3\CMS\Core\Security\ContentSecurityPolicy\SourceScheme;
use TYPO3\CMS\Core\Security\ContentSecurityPolicy\UriValue;
use TYPO3\CMS\Core\Type\Map;
return Map::fromEntries([
// Provide declarations for the backend
Scope::backend(),
new MutationCollection(
// Results in `default-src 'self'`
new Mutation(
MutationMode::Extend,
Directive::DefaultSrc,
SourceKeyword::self,
),
new Mutation(
MutationMode::Extend,
Directive::FrameSrc,
SourceKeyword::self,
),
new Mutation(
MutationMode::Extend,
Directive::FrameAncestors,
SourceKeyword::self,
)
),
]);
I tested it with several browsers. The error message sent back from the browsers was always that "frame-ancestors" is set to "none" which forbids browsers to load a page in the iFrame. "frame-ancestors" seems to be set to "none" by TYPO3 and there seems to be no way to change it as "frame-ancestors" is not part of the list of directives that can be changed. I just wonder what the rationale behind leaving out "frame-ancestors" from the list of changable directives is. Some security considerations?
Updated by Garvin Hicking 4 months ago
Do you face these issues locally or on a production server?
Are reverse proxies involved?
How does your full final CSP header look like for a TYPO3 backend HTTP request?
Which rules do you see in System > Configuration > Content Security Policy Mutations?
Because: Why I import your ruleset, it is applied for me. For testing I edited the file typo3/sysext/backend/Configuration/ContentSecurityPolicies.php (as a replacement for my sitepackage). I inserted your three mutations. Aftert that, these are visible in the backend (see screenshot).
The CSP header looks like this:
default-src 'self'; script-src 'self' 'nonce-8EOkevLWIMHCqSXmiW2kIWgnShgbxv76PVOF9vWBUJ_nhl2ZCZbNUg' 'report-sample'; style-src 'self' 'unsafe-inline' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; img-src 'self' data: *.ytimg.com *.vimeocdn.com https://extensions.typo3.org; worker-src 'self' blob:; frame-src 'self' *.youtube-nocookie.com *.youtube.com *.vimeo.com; base-uri 'none'; object-src 'none'; frame-ancestors 'self'; report-uri https://typo3-core-bugreproduce-base.ddev.site/typo3/@http-reporting?csp=report&requestTime=1732572778692522
So you can see, the "frame-ancestors" setting is defined for me. Note sure from where you say that 'frame-ancestors' would be disallowed?
I am thinking either some extension or custom code in your case is manipulating the CSP headers still, or some kind of proxy might be messing with the HTTP headers.
(Note that a vanilla TYPO3 install really doesn't require to set frame-ancestors if the default-src 'self' matches)
Updated by Michael Perlbach 4 months ago
· Edited
I just checked my csp headers and they are correct - but when I load the page the Javascript console tells me that frame-ancestors is set to "none" although it is set to "self" in the csp-header. So the problem seems not to be related to TYPO3. Case can be closed - and thanks for the hints.
Updated by Garvin Hicking 4 months ago
- Status changed from Needs Feedback to Closed
Thanks for the update. Maybe check browser extensions (things like popup blockers or privacy extensions are known to fiddle with this)
Updated by Michael Perlbach 3 months ago
· Edited
Just a last add from my site - I found the cause for my problems.
In the site package I was using the typoscript "ext:<extname>/Configuration/Sets/<setname>/Typoscript/Config/HTTPHeaders.typoscript" contained the entry
additionalHeaders.60.header = Content-Security-Policy: frame-ancestors 'none'
Commenting this solved the problem.
Updated by Garvin Hicking 3 months ago
Great, thanks for letting me know, happy to know the real cause of it :-)