hi list I have the problem in RC 0.6 (and latest SVN) that I am not able to use rouncube with the dyndns webhop service... thus running roundcube in a surrounding frame! the error message in FF console is e.g.:
security error: content at http://realserver.ch/roundcube/ is not allowed to load data from von http://niceurl.ch/
what could be my problem? is this a bug or a feature?
thanks Andreas _______________________________________________ List info: http://lists.roundcube.net/dev/ BT/aba52c80
On 18.10.2011 22:17, Andreas Dick wrote:
hi list I have the problem in RC 0.6 (and latest SVN) that I am not able to use rouncube with the dyndns webhop service... thus running roundcube in a surrounding frame! the error message in FF console is e.g.:
security error: content at http://realserver.ch/roundcube/ is not allowed to load data from von http://niceurl.ch/
what could be my problem? is this a bug or a feature?
i would check the main.cf as a first step. did you explicitly specify realserver.ch somewhere, e.g. $rcmail_config['session_domain'] ?
i use $rcmail_config['session_domain'] = $_SERVER['SERVER_NAME'];
so that i do not have to bother about chosing the right session_domain setting :)
cheers, raoul _______________________________________________ List info: http://lists.roundcube.net/dev/ BT/aba52c80
security error: content at http://realserver.ch/roundcube/ is not allowed to load data from von http://niceurl.ch/
i would check the main.cf as a first step. did you explicitly specify realserver.ch somewhere, e.g. $rcmail_config['session_domain'] ?
no, it was empty.
i use $rcmail_config['session_domain'] = $_SERVER['SERVER_NAME'];
do not help at all!
even if I set session_log to true, no logging at all!
it worked in RC0.5 with the empty session_domain, thus there must be a change in the code...
Andreas _______________________________________________ List info: http://lists.roundcube.net/dev/ BT/aba52c80
On 18.10.2011 22:17, Andreas Dick wrote:
security error: content at http://realserver.ch/roundcube/ is not allowed to load data from von http://niceurl.ch/
// X-Frame-Options HTTP header value sent to prevent from Clickjacking. // Possible values: sameorigin|deny. Set to false in order to disable sending them $rcmail_config['x_frame_options'] = 'sameorigin';
Am Mittwoch, 19. Oktober 2011, um 08.15:49 schrieb A.L.E.C:
On 18.10.2011 22:17, Andreas Dick wrote:
security error: content at http://realserver.ch/roundcube/ is not allowed to load data from von http://niceurl.ch/
// X-Frame-Options HTTP header value sent to prevent from Clickjacking. // Possible values: sameorigin|deny. Set to false in order to disable sending them $rcmail_config['x_frame_options'] = 'sameorigin';
thanks ALEC! this was the problem... I did not understand this feature, now I do :-) Andreas _______________________________________________ List info: http://lists.roundcube.net/dev/ BT/aba52c80
On Wed, Oct 19, 2011 at 8:05 PM, Andreas Dick andudi@gmx.ch wrote:
Am Mittwoch, 19. Oktober 2011, um 08.15:49 schrieb A.L.E.C:
On 18.10.2011 22:17, Andreas Dick wrote:
security error: content at http://realserver.ch/roundcube/ is not
allowed
to load data from von http://niceurl.ch/
// X-Frame-Options HTTP header value sent to prevent from Clickjacking. // Possible values: sameorigin|deny. Set to false in order to disable sending them $rcmail_config['x_frame_options'] = 'sameorigin';
thanks ALEC! this was the problem... I did not understand this feature, now I do :-) Andreas
Just adding my two cents here:
We need to figure out more ways to effectively prevent clickjacking.
Is running RoundCube in a frame a huge feature for you guys? Because it opens the gates for all kinds of abuse.
Till
List info: http://lists.roundcube.net/dev/ BT/aba52c80
-
A.L.E.C -
Andreas Dick -
Raoul Bhatia [IPAX] -
till