Bug #105617
open
Viewpage module does not show page in iFrame (not allowed to be displayed)
0%
Description
When trying to preview a page in the backend with "view" the page is not opened in the preview iFrame.
Although the page to be opened is from the same domain as the TYPO3 backend I get this behaviour.
I tried it with Firefox, Chrome and Opera. Always the same.
Is there a way to find out what is going on here?
Updated by Garvin Hicking 3 days ago
- Status changed from New to Needs Feedback
Could you check the output in your browser's console, especially the error console plus the network console and the HTTP headers of the failing request?
(Could be related to CSP or htaccess settings or browser settings or possible intermediate proxies)
Updated by Michael Perlbach 2 days ago
I am not quite sure how to answer you.
What I found out is that although I make the following settings in htaccess
Header set Content-Security-Policy "frame-src 'self' https://mydomain.tld; frame-ancestors 'self' https://mydomain.tld;"
the directive "frame-ancestors" is set to "none" when the page is loaded in the view iFrame.
So it seems as if somewhere in TYPO3 the directive "frame-ancestors" seems to get overridden somehow. But I have no idea where to look.
Updated by Garvin Hicking 2 days ago
TYPO3 ships its own backend CSP headers. Can you please remove any custom CSP settings in your htacces/webserver config and see if that maybe causes the issue?
Updated by Michael Perlbach about 21 hours ago
ยท Edited
I added my own headers as a result of the problems I had. So removing them will not remedy the situation.
Somewehre in TYPO3 the directive "frame-ancestors" must set to "none" - and as it seems, setting it in .htaccess has no influence.
Updated by Garvin Hicking about 13 hours ago
You can (must) use the CSP API of TYPO3 so that you can modify the backends CSP rules properly. Adding them via htaccess is not a viable option.
Please see https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/ApiOverview/ContentSecurityPolicy/Index.html on how to achieve this.
If you can be more specific about why and for what you needed the custom CSP htaccess header maybe can help to tell how to do it with the API.
Updated by Michael Perlbach about 9 hours ago
Thanks for the hint.
I deactivated my .htaccess settings and tried to use the approach with EXT:my_extension/Configuration/ContentSecurityPolicies.php in my site package ("Policies for frontend and backend can be applied automatically by providing a Configuration/ContentSecurityPolicies.php file").
Unfortunately it does not work.
Although I set the directive
new Mutation(
MutationMode::Set,
Directive::FrameAncestors,
SourceKeyword::self,
)it has no effect. frame-ancestors is still set to 'none'.
Updated by Michael Perlbach about 8 hours ago
When I take a look into "TYPO3\CMS\Core\Security\ContentSecurityPolicy\Directive" I see that "FrameAncestors" does not seem to be part of the list of directives which can be mutated.
Is there a specific reason for this? And what can I do about it?