Issue using PageBuilder page as canvas for Facebook app

Options
Patrick Hynes
Patrick Hynes
Tenth Anniversary First Comment Facilitator Level 1 Praiser Level 1
in Blackbaud Luminate Online® & Blackbaud TeamRaiser® Discussions
I am attempting to use a secure PageBuilder page as a canvas in an FB app.  It all appears to be working except for one issue.  In the developer console (I've only looked at it in Chrome) I get the following: [Report Only] Refused to display 'https://donate.bgca.org/site/SPageNavigator/welcome_series_quiz_201612.html?pgwrap=n' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".


I see that Luminate is including 'Content-Security-Policy-Report-Only:frame-ancestors 'self'; report-uri http://bgca.convio.net/site/XFrameViolation' in the response headers and thus the warning.


I also see that 'Report-Only'  will not block the page load, so it appears to be working for now.


Is this going to be a problem in the future?  That is, will Luminate, at some point, actually start blocking cross domaint iframe loading?


If so, is there a work around or setting that may be changed to allow this?
Tagged:

Comments

  • Jeremy Reynolds
    Jeremy Reynolds
    Ancient Membership 100 Comments 25 Likes Name Dropper

    Patrick Hynes:

    I am attempting to use a secure PageBuilder page as a canvas in an FB app.  It all appears to be working except for one issue.  In the developer console (I've only looked at it in Chrome) I get the following: [Report Only] Refused to display 'https://donate.bgca.org/site/SPageNavigator/welcome_series_quiz_201612.html?pgwrap=n' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".


    I see that Luminate is including 'Content-Security-Policy-Report-Only:frame-ancestors 'self'; report-uri http://bgca.convio.net/site/XFrameViolation' in the response headers and thus the warning.


    I also see that 'Report-Only'  will not block the page load, so it appears to be working for now.


    Is this going to be a problem in the future?  That is, will Luminate, at some point, actually start blocking cross domaint iframe loading?


    If so, is there a work around or setting that may be changed to allow this?

    It's probably not too safe. Even if Convio doesn't start blocking it, Google is getting more and more aggressive about throwing warnings over mixed content. https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn would be a good example, and it's going to be rough the way that LO is set up right now.


    I also vaguely recall something in Noah's LuminateExtend.js being changed related to CORS in order to avoid mixed content isses. So it least it's on someone's radar at Convio.

  • Ryan O'Keefe
    Ryan O'Keefe
    Ancient Membership 25 Likes 10 Comments Photogenic

    Jeremy Reynolds:

    Patrick Hynes:

    I am attempting to use a secure PageBuilder page as a canvas in an FB app.  It all appears to be working except for one issue.  In the developer console (I've only looked at it in Chrome) I get the following: [Report Only] Refused to display 'https://donate.bgca.org/site/SPageNavigator/welcome_series_quiz_201612.html?pgwrap=n' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".


    I see that Luminate is including 'Content-Security-Policy-Report-Only:frame-ancestors 'self'; report-uri http://bgca.convio.net/site/XFrameViolation' in the response headers and thus the warning.


    I also see that 'Report-Only'  will not block the page load, so it appears to be working for now.


    Is this going to be a problem in the future?  That is, will Luminate, at some point, actually start blocking cross domaint iframe loading?


    If so, is there a work around or setting that may be changed to allow this?

    It's probably not too safe. Even if Convio doesn't start blocking it, Google is getting more and more aggressive about throwing warnings over mixed content. https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn would be a good example, and it's going to be rough the way that LO is set up right now.


    I also vaguely recall something in Noah's LuminateExtend.js being changed related to CORS in order to avoid mixed content isses. So it least it's on someone's radar at Convio.

     

    Patrick,


    Recently we rolled out new SDPs to help prevent clickjacking and to ensure we stay within our PCI compliance.  In the process, we are making an SDP that allows you to whitelist domains you plan to iframe outside of Luminate.  I also would like to note that what Patrick stated above is correct and we need to be aware that browsers like Chrome and others will start making it difficult to deliver secure content iframed onto an nonsecure page. This is done to prevent fraudalent activity such as clickjacking.


    The SDP where you can whitelist is: SEC_CSP_FRAME_ANCESTORS_DOMAINS


    We have already prioritzed a few domains to be whitelisted so you don't have to ad:
    • Self
    • *.facebook.com
    • *.salesforce.com
    • *.convio.net
    • *.google.com
    By March, we'll start enforcing the xframes SDP to ensure you are whitelisting your domains and adhering to best practices when trying to host content outside Luminate. If for some reason, you don't whitelist your domain and it's not covered by the ones above then your content will not be served in the iframe, post our March update to the SDP.

     

Categories