Bug #105617
open
Viewpage module does not show page in iFrame (not allowed to be displayed)
Added by Michael Perlbach 3 days ago.
Updated about 10 hours ago.
Category:
Backend User Interface
Description
When trying to preview a page in the backend with "view" the page is not opened in the preview iFrame.
Although the page to be opened is from the same domain as the TYPO3 backend I get this behaviour.
I tried it with Firefox, Chrome and Opera. Always the same.
Is there a way to find out what is going on here?
- Status changed from New to Needs Feedback
Could you check the output in your browser's console, especially the error console plus the network console and the HTTP headers of the failing request?
(Could be related to CSP or htaccess settings or browser settings or possible intermediate proxies)
I am not quite sure how to answer you.
What I found out is that although I make the following settings in htaccess
Header set Content-Security-Policy "frame-src 'self' https://mydomain.tld; frame-ancestors 'self' https://mydomain.tld;"
the directive "frame-ancestors" is set to "none" when the page is loaded in the view iFrame.
So it seems as if somewhere in TYPO3 the directive "frame-ancestors" seems to get overridden somehow. But I have no idea where to look.
TYPO3 ships its own backend CSP headers. Can you please remove any custom CSP settings in your htacces/webserver config and see if that maybe causes the issue?
I added my own headers as a result of the problems I had. So removing them will not remedy the situation.
Somewehre in TYPO3 the directive "frame-ancestors" must set to "none" - and as it seems, setting it in .htaccess has no influence.
Thanks for the hint.
I deactivated my .htaccess settings and tried to use the approach with EXT:my_extension/Configuration/ContentSecurityPolicies.php in my site package ("Policies for frontend and backend can be applied automatically by providing a Configuration/ContentSecurityPolicies.php file").
Unfortunately it does not work.
Although I set the directive
new Mutation(
MutationMode::Set,
Directive::FrameAncestors,
SourceKeyword::self,
)
it has no effect. frame-ancestors is still set to 'none'.
When I take a look into "TYPO3\CMS\Core\Security\ContentSecurityPolicy\Directive" I see that "FrameAncestors" does not seem to be part of the list of directives which can be mutated.
Is there a specific reason for this? And what can I do about it?
Also available in: Atom
PDF
Updated by 
Updated by