Plone.protect and iframes

for the Olympics site we developed a small widget to embed content on third party sites:

(I just discovered that we forgot to translated it into English, sorry about that.)

this page generates an iframe code pointing to this browser view:

we received reports the other day that the widget have stopped working and after some review we discovered the X-Frame-Options header that is now included in the newest release of plone.protect (we're using v3.0.18).

we changed this header adding the following to the browser view __call__() method:

self.request.response.setHeader('X-Frame-Options', 'ALLOWALL')

but the iframe code still is not shown in a third party site we have set up for tests.

any ideas of what's going on?

1 Like

Maybe your browser cached it? It is working for me. Can you share your 3rd party site?

1 Like

I added it into a template and it works:

@davilima6 this is for me not working because of a mix of https and non https -> heroku uses ssl and the iframe not, so firefox is blocking the content of the iframe :slight_smile:

Well indeed if you change the link I posted to https the widget stops working. I confirm that. No matter what browser.

Besides I noticed they don't have an https version of the site. I guess if they had it would work for all by omitting the protocol from the iframe source when advertising the widget.

Why did you have to create a widget? Why not use ? Asking because that's what I'm using on Plone 5.0 test instance. Should I not be using that? As long as the "http" part matches for both sites, it works.

thank you for your feedback, guys; in fact, in my case, a browser plugin (Privacy Badger) was blocking the iframe content and it was driving me mad.

@vangheem how can I avoid the protect.js script for being added at the end of this browser view?

BTW, I was reading yesterday about Content Security Policy Level 2 and saw the X-Frame-Options header is already deprecated in favor of the frame-ancestors directive.

@3dogMcNeill the iframe is used to insert content in other Government or third party sites; the widget is used to select what content you want to include in the iframe.

ah, ok. thanks.

@hvelarde protect.js should only be added for logged in users.

Mixing http and https for sites / iframe will be blocked by some browsers.

So, to be sure you need two http-sites, or two https-sites.

1 Like

and what about Content Security Policy Level 2?

There is no built-in support for it at this point but the security team will have to take a look at it.

1 Like

I created an issue for that last year, with hopefully useful and clear explanation:


Some times our iframe request confirm:[]=Segurança&paralympic=Vela&

So we ended taking out plone protect into the widget view.