Stealth forwarding iframe does not work properly.

Forum Moderators: phranque

Message Too Old, No Replies

Stealth forwarding iframe does not work properly.

CORS/http-> https issue?

balc

9:49 pm on Oct 30, 2014 (gmt 0)

Hi,
I have a website on domain x like [example.com....] One of our customers want to use their own domain name in the address bar and redirect to our web application. In the control panel of the customers website, we can forward the site to our domain without issues (stealth forwarding). After that, we are able to see the site and navigate to some options. But there are some issues/limitations. I cannot open some links, or click on tabs. The login feature works for chrome but not for internet explorer. Is this due the jump of http to https within an iframe? Or is it related to CORS? I have a Windows 2008 R2 server with Apache, which is the frond-end for the tomcat instances. "Tomcat Apache" serves our Java-based web application (mod_jk binded)

How can i fix this issue?

Any idea is appreciated.

[edited by: phranque at 10:13 pm (utc) on Oct 30, 2014]
[edit reason] exemplified domain [/edit]

phranque

10:20 pm on Oct 30, 2014 (gmt 0)

welcome to WebmasterWorld, balc!

please define stealth forwarding.
is it a proxy server? or an alias domain and DNS configuration?

balc

2:10 pm on Oct 31, 2014 (gmt 0)

Stealth forwarding is similar to domain forwarding except the domain name stays in the web browser's URL bar instead of being replaced by the new page's URL. This is is why it is called "stealth" forwarding because it appears that the web page displayed is actually part of the domain.

So say that you have a domain named Example.org, and you want to use stealth forwarding to have your domain point to http://name.example.com. When you use stealth forwarding, http://www.example.org will load the index page located at http://name.example.com, however the http://www.example.org address will be displayed in the web browser's URL bar instead of the http://name.example.com address.

I've changed this setting within the control panel of the website, without changing the DNS settings...

[edited by: Ocean10000 at 5:32 pm (utc) on Nov 1, 2014]
[edit reason] Examplified [/edit]

balc

12:18 pm on Nov 1, 2014 (gmt 0)

After research i get the following error message:

Refused to display 'https://subdomain.Example.com' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

Any idea?

What is the best way to enable only one site to embed in iframe and deny all the other sites?

Or should i create a subdomain on my own environment like:

[customername.Example.com...]

How to realize this? And what are the settings

[edited by: Ocean10000 at 5:38 pm (utc) on Nov 1, 2014]
[edit reason] Examplified [/edit]

penders

11:10 am on Nov 2, 2014 (gmt 0)

Refused to display 'https://subdomain.Example.com' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

This is an HTTP response header that your server is returning (where your web app is hosted), to obviously prevent other sites from framing yours.

What is the best way to enable only one site to embed in iframe and deny all the other sites?

In theory, you can set this header with the value "ALLOW-FROM uri", to enable your "one site to embed" it, however, browser support does not appear to be very good. What happens if the browser does not support this... is it blocked, or is it allowed?! I suspect you should specify multiple "X-Frame-Options" to allow for this?

More information:
[developer.mozilla.org...]