ionut71 Posted September 26 Share Posted September 26 Hi, I have a web server with PLESK control panel. In order to protect a website from clickjacking, I've followed the instructions from: https://support.plesk.com/hc/en-us/articles/12377561912471-How-to-protect-a-website-from-clickjacking-in-Plesk-for-Linux by adding the Header set X-Frame-Options DENY additional Apache directive for HTTP and HTTPS, and add_header X-Frame-Options DENY; additional directive for nginx. NO problems in PS 1.7.8.11. In PS 8.1.7, when I'm trying to create a new product, appear a popup window with the following message: domain_name refused to connect. See attached picture. No other log entries. Maybe it will help someone with same problem. Link to comment Share on other sites More sharing options...
www.you-sport.com Posted September 28 Share Posted September 28 (edited) On 9/27/2024 at 1:14 AM, ionut71 said: Hi, I have a web server with PLESK control panel. In order to protect a website from clickjacking, I've followed the instructions from: https://support.plesk.com/hc/en-us/articles/12377561912471-How-to-protect-a-website-from-clickjacking-in-Plesk-for-Linux by adding the Header set X-Frame-Options DENY additional Apache directive for HTTP and HTTPS, and add_header X-Frame-Options DENY; additional directive for nginx. NO problems in PS 1.7.8.11. In PS 8.1.7, when I'm trying to create a new product, appear a popup window with the following message: domain_name refused to connect. See attached picture. No other log entries. Maybe it will help someone with same problem. have you put the exact domain with https in prestashop configuration ? Edited September 28 by www.you-sport.com (see edit history) Link to comment Share on other sites More sharing options...
ionut71 Posted September 28 Author Share Posted September 28 Yes. Shop parameters -> General: Enable SSL = Yes Enable SSL on all pages = Yes Advanced Parameters -> Multistore: Store URL Domain = domain.tld SSL Domain = domain.tld Physical URL = empty Virtual URL = empty Final URL = http://domain.tld If I remove the X-Frame-Options directives, the website works correctly, I can add a new product. Link to comment Share on other sites More sharing options...
www.you-sport.com Posted September 28 Share Posted September 28 try on these SSL Domain and Final URL https://domain.tld and also clear the cache folders... Link to comment Share on other sites More sharing options...
Andrei H Posted September 29 Share Posted September 29 (edited) Hello, First off, while the content inside that link seems to have been updated recently, please also have a look on the official MDN documentation on X-Frame-Options - as you can see, this feature is no longer recommended. You can still use it for old browsers, but you would want to pair it with the Content-Security-Policy header (specifically, frame-ancestors), as this is the recommended one. Now, getting back to the actual subject. If you try and inspect the page, you will see that PrestaShop opens an iframe when you click that New product button. The deny option will not allow the page to be displayed in an iframe. The option you might want to go with is Content-Security-Policy: frame-ancestors 'self' - which is the equivalent of X-Frame-Options: sameorigin (maybe pair it with this one as well, but all modern browsers support CSP anyway) - this will ensure a page of your site can be opened in an iframe only by the same site. Edited September 29 by Andrei H (see edit history) 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now