7

I am working on a WordPress website in which there are a lot of wordpress plugins installed.

The plugins installed on the wordpress website has the following options:

enter image description here

When I click on View details option, I am getting the blank screen as shown below in an image but when I open in a new window or tab, it works.

On checking console, I am getting the following error (when clicking on View Details fails to open on the same page):

Blocked a frame with origin from accessing a cross-origin frame.
  at Contents
  at Function.map
  at a.fn.init.n.fn.(anonymous function) [as contents]
  and many other places.

enter image description here


Problem Statement:

I am wondering which file I need to modify in wordpress in order to solve this error. This error seems to exist in every wordpress plugins. It works in a new tab or window but fails to work in the same page.

john
  • 9,493
  • 34
  • 111
  • 210
  • 1
    Probably a common issue. Would check questions on https://wordpress.stackexchange.com/ – charlietfl Nov 12 '18 at 04:46
  • @NikosM. Hi, I had a look on the link but I am unable to find any concrete answer. I am going to open my wordpress website on different browser. – john Nov 14 '18 at 15:22
  • blocking frame conent if it is from different origin is common to all browsers but can change with a browser setting, it is not a wordpress issue it is a browser securoty issue – Nikos M. Nov 14 '18 at 17:00
  • Nikos M I am wondering what browser settings I need to change let say for example chrome. I am wondering what settings I need to change there in order to make it work. – john Nov 14 '18 at 18:42
  • @NikosM. Are you around ? – john Nov 15 '18 at 03:16
  • @john, here are some links I found relating to this issue on chrome, take a look (with caution as it will break your web security): https://www.technipages.com/google-chrome-bypass-blocked-cross-origin-frame and https://github.com/cypress-io/cypress/issues/1951 – Nikos M. Nov 15 '18 at 08:48
  • Probably in your plugin there may be `ajax call` to a cross domain, so you need to allow cross domain in the `ajax call` – Ramesh Nov 15 '18 at 11:58
  • @Ramesh Ok, I will allow cross domain in the ajax call. Thanks for letting me know. I only have the wordpress admin access at this moment. Do I also need wordpress server access in order to make the modification in the files ? – john Nov 19 '18 at 00:49
  • 1
    @Ramesh — No. The error says the problem is accessing a cross origin iframe. – Quentin Jan 08 '19 at 15:13
  • My best guess at this is that WordPress thinks it is installed on a different origin to the one you are accessing it on. e.g. `http://example.com/` vs `http://www.example.com/`. You need to normalise your origins so you only use one. – Quentin Jan 08 '19 at 15:14

1 Answers1

-2

The browser is blocking the new frame due to an HTTP security header. There are few relevant security headers and you can get the details here: https://www.dionach.com/blog/an-overview-of-http-security-headers

Most likely, that one of the WordPress security plugins is injecting this header.

In rare cases, the web server itself was configured to inject those headers.

I suggest to search through the settings of all active security plugins to find where the "Same Origin Policy" is forced on admin screens.

If you can't find the setting directly, then disable the plugins one-by-one, till the issue is resolved. Of-course, there is a plugin to disable plugins for you only (without affecting any other user): https://wordpress.org/plugins/health-check/

Yuval Papish
  • 7
  • 2
  • No. If it was any of these then the error message would mention it. Disallowed access to cross-origin pages via iframes is the default behaviour. – Quentin Jan 08 '19 at 15:12