Content Mask not loading URL

  • Resolved imedia2815

    (@imedia2815)


    3 years, 10 months ago

    I have tried several different website URLs. The page is being created. My iframe code is loading my widget. But I am not getting the URL content.

    Previously created pages still work. But none work this morning.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter imedia2815

    (@imedia2815)

    Example URLs that are not connecting:
    https://www.sagora.com/

    and

    https://acaringhomewithfriends.com/

    Thread Starter imedia2815

    (@imedia2815)

    More URLs that are not connecting to content mask:

    https://northdallasseo.com/haga-kommer/

    https://clearmeadowstables.com/

    PLEASE HELP!

    Plugin Author Alex

    (@alexdemchak)

    Hi there, I’m happy to try and help with this!

    Unfortunately, it appears you’re running into the crux of an issue with iframes in general. Three of the websites you’ve listed have either set a header called X-Frame-Options to SAMEORIGIN and/or set a Content-Security-Policy that does not include your domain in the directives list.

    The fourth website is using the insecure https:// protocol, and if you’re using the secure https:// protocol, no browser will show that website due to insecure content policy changes made a few years ago. Content Mask attempts to alleviate this by force-upgrading the iframe to https:// when used on a secure site, but if the site in question doesn’t have a valid SSL certificate, it still won’t show (it wouldn’t have shown anyways, so there’s nothing to lose when trying to upgrade the protocol).

    This leaves you with two options:

    The first, and best, option is to contact the sites in question that you would like to iframe, and request they don’t use the X-Frame-Options: SAMEORIGIN header, and instead use a Content-Security-Policy header and add your website to their policy directives list. Websites use one or both of these headers to help mitigate malicious actors including those attempting Clickjacking attacks. I’ve actually got a simple test on

    my website

    that you can put a URL in to check if it’s using a CSP or XFO header.

    The second option would be to instead use the download method instead of the iframe option. This can cause some issues with forms and things though, so it’s really more of a fallback, as generally if you’ve got license/rights to use the content, the owner can add your domain to their CSP header. It’s intended more as a fallback for people using a SaaS solution where the owner of the page content isn’t also the host/provider for the solution (such as landing pages and things of that nature).

    The last option, if you’re unable to get added to the CSP headers and the download method doesn’t work, would be to just use the 301 Redirect option, which isn’t as graceful as it no longer shows your URL, but still gets your visitors to the intended content.

    I hope that helps clarify things a bit!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Content Mask not loading URL’ is closed to new replies.