Iframe is blocked

Answer these questions to help the Community help you with Security questions.

What is the domain name?
speedtest.iiidefconiii.info

Have you searched for an answer?
Duhhh

Please share your search results url:
speedtest.iiidefconiii.info heeft de verbinding geweigerd.

When you tested your domain, what were the results?
teh domain self working fine just the iframe it blocked

Describe the issue you are having:
teh domain self working fine just the iframe it blocked

What error message or number are you receiving?
speedtest.iiidefconiii.info heeft de verbinding geweigerd.

What steps have you taken to resolve the issue?

  1. RTFM aldready
  2. Cloudflare wensite topic related

Was the site working with SSL prior to adding it to Cloudflare?
Yeah

What are the steps to reproduce the error:

  1. Add the page to a iframe in homeassistant

Have you tried from another browser and/or incognito mode?
not related

Please attach a screenshot of the error:

You need to check the HTTP response headers you’re sending out from the speedtest, such as for example the “X-Frame-Options” header, which is currently set to “SAMEORIGIN”.

wow that was a quick responds, lemme check out where and how to change it

cant edit my post to put EDIT:

  1. i check the speedtest settings itself, where i could find any option to adjust that
  2. im now gonnne check the docker compose → containers settings.

Tried this post but im also stuck here:

after a bit of research i indeed found out that i have
x-frame-options SAMEORIGIN
for me other applications that isnt working (grafana)
X-Frame-Options DENY
So tomorrow I’m going to dig a bit further in the rabbit hole and find out where to adjust this. I think it’s on Cloudflare, and I need to adjust this somewhere.

The reference from that post is to check this following link:

https://dash.cloudflare.com/?to=/:account/:zone/rules/transform-rules/managed-transforms

Verify that “Add security headers” is DISABLED.

Could be something like the above, but if it is on Cloudflare, it must be something you’ve enabled yourself (even if accidental or otherwise unknowingly).

lemme uncheck that add security headers here and try

Mate, if i can call you that, I freaking love u!

1 Like


All good now!!

Last question do, is it posseble to still enabled it back and make a exception for 2 things?

As long as it is done in good faith, which it seems, I believe it is OK? :wink:

The “X-Frame-Options” header has an option called “ALLOW-FROM”, which can be used like e.g. “ALLOW-FROM https://example.com”, but that option is obsolete, and doesn’t work in most browsers, which you can see a table of on the above link.

The general advice is to move on with the “Content-Security-Policy” header.

The “Add security headers” indicates that it will add several security-related HTTP response headers, and at the same time, does not appear to have options for granularity.

I would therefore not personally be relying on the “Add security headers” transform rule, if you want to attempt to make exceptions.

for now its fixed and ok and if omada works on there vpn issue and that will be fixed im going to probable disable the whole tunnel to the outside

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.