Cross-Origin Framing


(Steven Greco) #1

I am using SSO with Wordpress and it setup when a user logs into the wordpress site an iframe opens to call the sso to login in the user to the discourse site.

I am using the code @AdamCapriola posted here.
https://meta.discourse.org/t/official-single-sign-on-for-discourse/13045/146?u=grex315&source_topic_id=26984

I have turned on CORS on the Discourse installation and rebuilt the app, as my wordpress site sits at mysite.com and my discourse site sits at forums.mysite.com:Port# as they are on the same vps. the NGINX server that runs my wordpress site also acts as a proxy to my Discourse site.

My issue is I am receiving the error:

Load denied by X-Frame-Options: http://forums.mysite.com/ does not permit cross-origin framing.

Whats funny to me is that the call is actually going through cause the user does get logged into the discourse site, but the error stops the wordpress page from completely loading.

Checking the header i see that X-Frame-Options: SAMEORIGIN is set. Since i have discourse set on a different port this is blocking my call. How best can i alter this for discourse? Does CORS not affect X-Frame-Options?

Thanks


Quotes pointing to deleted post gets stuck loading
(Steven Greco) #2

so it looks like what i am trying to do is technically not supported


(Steven Greco) #3

Does anyone know of a way that I can handle the error that comes back? The iframe does not need to be displayed as its still executing the login. But the error stops the page from fully loading.


(Steven Greco) #4

Solved my own issue. Instead of using iframe i am using embed.

so the line looks like.

echo '<embed src="http://forums.mysite.com/session/sso" width="0" height="0" tabindex="-1" title="Discourse SSO" style="display:none" hidden>' . "\n";

(Kane York) #5

This might be even better:

<embed src="http://forums.mysite.com/session/sso" width="0" height="0" tabindex="-1" title="Discourse SSO" style="display:none" hidden onload="window.location='/login_complete.php'">

(Steven Greco) #6

Cleaned up my code a bit what having issues with Chrome.

echo '<embed src="http:/forums.mystie.com/session/sso" width="0" height="0" />' . "\n";

Removed unsupported tags for embed. FF will ignore stuff like that but Chrome will stop it. It still throws the cant open frame due to SAMEORIGINS error in the console but it will allow the page to continue to load.


(DD) #7

Hi , I have replace Iframe Tag with embed Tag but its still showing that error.
Is there any alternative ways to render discourse application inside LMS(EDX)?.