[RESOLVED] [X-FRAME-OPTIONS] How to properly set it up?
Posted: Sun May 23, 2010 2:09 pm
Ok, after spend an hour (or two) reading throught some topics I still haven't found a way to fix my problem.
Several month ago, an orkut app just stop working after a NoScript update. I found it pretty annoying having an warning "This content cannot be displayed in a frame" but I still could click on the link "Click here to open this content in a new window" and reloading the page would allow me to use the app.
However, after another update, this trick no longer works and I have to switch to Google Chrome to use that app (Note this works fine in Chrome, Opera 10+, IE7/8).
After some google I found out that I can simple turn noscript.frameOptions.enabled = false and have this app working, but it feels like opening the door to some stranger.
Also, after turn it off, NoScript started to throw several warning/errors messages regarding security issues in the error console and the noscript.frameOptions.parentWhitelist didn't seem to work when adding others domains (used space, semi-colon, comma, dot to separate multiple values)
Bottom line, is there a way to have it working just by setting an XSS/ABE rulerset?
Right now I have whitelisted all domains listed in the error message (read below) but I didn't help either.
Console message
NoScript 1.9.9.79
Firefox/Pale Moon 3.6.3
Others addons: Adblock Plus, Adblock Plus Element Hiding Helper, Greasemonkey, Stylish, Orkut Manager.
Several month ago, an orkut app just stop working after a NoScript update. I found it pretty annoying having an warning "This content cannot be displayed in a frame" but I still could click on the link "Click here to open this content in a new window" and reloading the page would allow me to use the app.
However, after another update, this trick no longer works and I have to switch to Google Chrome to use that app (Note this works fine in Chrome, Opera 10+, IE7/8).
After some google I found out that I can simple turn noscript.frameOptions.enabled = false and have this app working, but it feels like opening the door to some stranger.
Also, after turn it off, NoScript started to throw several warning/errors messages regarding security issues in the error console and the noscript.frameOptions.parentWhitelist didn't seem to work when adding others domains (used space, semi-colon, comma, dot to separate multiple values)
Bottom line, is there a way to have it working just by setting an XSS/ABE rulerset?
Right now I have whitelisted all domains listed in the error message (read below) but I didn't help either.
Console message
Code: Select all
X-FRAME-OPTIONS: blocked http://www.orkut.gmodules.com/gadgets/proxy/refresh=10800&container=orkut&gadget=http%3A%2F%2Fbuddypoke.s3.amazonaws.com%2Forkut.xml/http://buddypokeapp.appspot.com/static/vc19/swften/BuddyPoke2Streamer.swf?rel=xmas19&sv=3.010&s=5Firefox/Pale Moon 3.6.3
Others addons: Adblock Plus, Adblock Plus Element Hiding Helper, Greasemonkey, Stylish, Orkut Manager.
