Log into wordpress accounts within iframe

Perhaps this will help you. Found it with a quick Googling:

https://stackoverflow.com/questions/42773599/wordpress-login-inside-an-iframe

Yeah, I’ve looked at that, but I don’t understand enough about how this stuff works to follow it. I’ve attempting adding both suggestions of

remove_action( 'login_init', 'send_frame_options_header' );
remove_action( 'admin_init', 'send_frame_options_header' );

and

header('X-Frame-Options: GOFORIT');

to my custom login page, but I’m guessing that’s in the wrong pace?

Also, I’m not seeing any error when it logs in. It’s redirecting to the page I’ve specified in the wp-login args, but just doesn’t appear to be logging me in!

In the example on stack overflow they are saying they are seeing:
“Refused to display ‘https://example.com/wp-login.php’ in a frame because it set ‘X-Frame-Options’ to ‘SAMEORIGIN’.”

EDIT: Although if I fill the login form with rubbish, I DO get that error! *confused*

• This reply was modified 4 years, 1 month ago by delanthear.

But the link I sent you tells you where to add the code. https://stackoverflow.com/a/42774262

If you don’t know how to edit a (child) theme functions.php file then use the Code Snippets plugin.

Oh, I’m being a moron! Yeah, I can add that to function.php.

I just need to work out how to only change those headers from a certain login form, or perhaps when loaded from a frame of a particular site.

In your functions.php, try something like:

if ( is_page( x ) ) {
    remove_action( 'login_init', 'send_frame_options_header' );
    remove_action( 'admin_init', 'send_frame_options_header' );
}

where ‘x‘ is the page ID or slug to your specific login page using wp_login_form() ..?

• This reply was modified 4 years, 1 month ago by Little Package. Reason: remove HTML from PHP code block

Yeah, I can’t seem to get that to work. Which page is the one that needs the header options changing? Is it the post to login, or the page which receives the login?

Having the remove_action calls just done in functions.php doesn’t seem to work either way :/

You said you had a “custom login page” so I assumed there was a page ID associated with that.

Yes, but I don’t know if it’s the page with the login form in that needs the headers changing, or if it’s the page which receives the login post which requires it. (or both?)

Either way, calling the remove_action when the login page is loaded doesn’t seem to help, nor generally removing them in functions.php for all WordPress loads.

Try again by making the calls happen when you specify, using something like

function my_send_frame_options_header() {
    if ( is_page( x ) ) {
        remove_action( 'login_init', 'send_frame_options_header' );
        remove_action( 'admin_init', 'send_frame_options_header' );
    }
}
add_action( 'login_enqueue_scripts', 'my_send_frame_options_header' );

or

function cap_send_frame_options_header() {
    if ( is_page( x ) ) {
        remove_action( 'login_init', 'send_frame_options_header' );
        remove_action( 'admin_init', 'send_frame_options_header' );
    }
}
add_action( 'wp_enqueue_scripts', 'cap_send_frame_options_header' );

You’ll need to replace x with the slug or ID of your page. As far as which page, you’ll need to experiment. Part of learning this stuff is tedium.

I’m out for the weekend. Recommend checking out jobs.wordpress.net if you can’t figure it out, and taking advantage of opportunity cost. Good luck.

Just to be clear what I’m doing. In functions.php:

	if ( is_page(6422) ) {
		print "Special login page";
		remove_action( 'login_init', 'send_frame_options_header', 10, 0 );
		remove_action( 'admin_init', 'send_frame_options_header', 10, 0 );
	}

inside a function called on the login page. I know this is being called because I get the “special login page” message at the top.

If I look at the header of that page when loaded into the iframe I see:

Referrer Policy: strict-origin-when-cross-origin
sec-fetch-site: cross-site

I’m also hooked wp_authenticate to output remove the actions when login is called.

function try_remove_headers( $user_login, $user_password ) {
	remove_action( 'login_init', 'send_frame_options_header', 10, 0  );
	remove_action( 'admin_init', 'send_frame_options_header', 10, 0  );
	print "login: $user_login";   
	print "pass: $user_password";   
	
	die("oops");
}

When I call this page and submit it outside of the frame, I get the die and the username and password outputting to the screen, meaning that this function is being called.

When using the login form from the iframe with that code in Chrome, I just get a “failed to connect error”. On Firefox I more a more helpful error message linking to https://support.mozilla.org/en-US/kb/xframe-neterror-page which suggests their is still some cross site protection going on.

I also found this: https://stackoverflow.com/questions/47383874/how-does-wordpress-restrict-x-frame-to-sameorigin which might be more of a clue, but adding the comments to my .htaccess doesn’t work either.

:/

Thanks for the help so far. I guess this could be something to do with my hosting, but it’s hard to debug when you don’t really understand how the cross site protection stuff is working ??

I believe any sort of X-Frame-Options header will cause iframe issues. The header cannot be sent at all. If WP is still sending it despite the remove_action() calls, you should be able to remove it from the list about to be sent with the “wp_headers” filter.

I think you’re running into Content Security Policy (CSP) issues. I’m unsure of what the right directives are for login through iframe, but I’m certain something is needed. CSP weighs heavily in iframe functionality with more recent browsers. Older browsers don’t check for it.

You can use the “wp_headers” filter to add a CSP header, or make your own header() call from the “send_headers” action.

some progress. Going into

wp-includes/functions.php, finding

function send_frame_options_header() {
	header( 'X-Frame-Options: SAMEORIGIN' );
}

and commenting out the header line works! I guess this means the

remove_action( ‘login_init’, ‘send_frame_options_header’, 10, 0 );
remove_action( ‘admin_init’, ‘send_frame_options_header’, 10, 0 );

calls aren’t working for some reason.

Ah! bcworkz you beauty!

function add_header_xua() {
	header( 'Content-Security-Policy: frame-ancestors FULL-URL' );
}
add_action( 'send_headers', 'add_header_xua' );

Works! This overrides the X-Frame-Options command in the wp-include/functions.php file above and means it will only load in a frame from that URL ??

Resolved ??

Hi @delanthear

I am facing the same issue as you did, tried but still not working.
How u did? Can u tell me step by step?

Did you put the code into functions.pho on iframed WP (wp inside) or the WP which hold the page (wp outside)?

function add_header_xua() {
	header( 'Content-Security-Policy: frame-ancestors FULL-URL' );
}
add_action( 'send_headers', 'add_header_xua' );

Also, what else?