edxapp@ip-172-31-30-95:~/edx-platform$ git branch -v master c8accbc30e Merge pull request #15131 from edx/nedbat/help-tokens-from-pypi* open-release/ficus.master ef1065178a Move matplotlib to post requirements.
# Javascript Console within Chrome Browser
Refused to display 'https://cms.ficus-lti.ew-dev.com/static/ef1065178a//js/vendor/tinymce/js/ti…static/ef1065178a//js/vendor&ParentOrigin=https://cms.ficus-lti.ew-dev.com' in a frame because it set 'X-Frame-Options' to 'deny'.container.js:162
GET https://cms.ficus-lti.ew-dev.com/static/ef1065178a//js/vendor/tinymce/js/ti…static/ef1065178a//js/vendor&ParentOrigin=https://cms.ficus-lti.ew-dev.com net::ERR_BLOCKED_BY_RESPONSE
# Network Responses within Chrome Browser
Here are two document request/responses that I thought were important.
Document #1
HTTP STATUS: 200
General
- Request URL:
- Request Method:GET
- Status Code:200
- Remote Address:
- Referrer Policy:no-referrer-when-downgrade
- Response Headers
- content-encoding:gzip
- content-language:en
- content-type:text/html; charset=utf-8
- date:Wed, 07 Jun 2017 16:35:19 GMT
- p3p:CP="Open edX does not have a P3P policy."
- server:nginx
- set-cookie:csrftoken=zLg9xKS4QyOjaBTX3N5eu7n5Ch3OtDXp; expires=Wed, 06-Jun-2018 16:35:19 GMT; Max-Age=31449600; Path=/
- status:200
- vary:Accept-Language, Cookie
- vary:Accept-Encoding
- x-content-type-options:nosniff
- x-frame-options:ALLOW
- x-frame-options:DENY
- Request Headers
- :authority:
- :method:GET
- :path:/container/block-v1:edX+DemoX+Demo_Course+type@vertical+block@45c7cedb4bfe46f4a68c78787151cfb5
- :scheme:https
- accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
- accept-encoding:gzip, deflate, sdch, br
- accept-language:en-US,en;q=0.8,es;q=0.6
- cache-control:max-age=0
- cookie:edxloggedin=true; sessionid="1|hxft44pa0s9vlngek59fxiu6s376ynx0|r2md4UHcuWuT|ImUwMDNmZDQwZGVmMTM3MGE2ODcyYmZiMjdiMTEzNTNlMGZlZmM4NDk3YzI1ZjgxMGViZDUwY2VlOWJiNjJjNzMi:1dIds0:ykAJl4G_f3gSJfGpEjQuRPM2gyU"; edx-user-info="{\"username\": \"staff\"\054 \"version\": 1\054 \"enrollmentStatusHash\": \"092a45aee16385f5730b722aee207a87\"\054 \"header_urls\": {\"logout\": \"https://cms.ficus-lti.ew-dev.com/logout\"}}"; csrftoken=zLg9xKS4QyOjaBTX3N5eu7n5Ch3OtDXp
- referer:
- upgrade-insecure-requests:1
- user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Document #2
HTTP STATUS: (FAILED)
- Request URL:
- Referrer Policy:no-referrer-when-downgrade
- Request Headers
- Provisional headers are shown
- Referer:
- Upgrade-Insecure-Requests:1
- User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
- Query String Parametersview sourceview URL encoded
- CodeMirrorPath:/static/ef1065178a//js/vendor
- ParentOrigin:
# Clickjacking protection can be enabled by setting this to 'DENY'X_FRAME_OPTIONS = 'ALLOW'
##### X-Frame-Options response header settings #####X_FRAME_OPTIONS = ENV_TOKENS.get('X_FRAME_OPTIONS', X_FRAME_OPTIONS)
# Response Header
x-frame-options:ALLOWx-frame-options:DENY
/etc/nginx/snippets/ssl-params.conf
# Commenting this out removed that second `x-frame-option` within the HTTP response header.
#add_header X-Frame-Options DENY;
upstream cms-backend { server 127.0.0.1:8010 fail_timeout=0; }
server { listen 80; listen [::]:80; server_name cms.ficus-lti.ew-dev.com; return 301 https://$server_name$request_uri;}
server { # CMS configuration file for nginx, templated by ansible # Proxy to a remote maintanence page # error pages error_page 504 /server/server-error.html; error_page 502 /server/server-error.html; error_page 500 /server/server-error.html; #listen 18010 ; listen 443 ssl http2; listen [::]:443 ssl http2; server_name cms.ficus-lti.ew-dev.com; include snippets/ssl-ficus-lti.ew-dev.com.conf; include snippets/ssl-params.conf; # Prevent invalid display courseware in IE 10+ with high privacy settings add_header P3P 'CP="Open edX does not have a P3P policy."';
.... more code here ....
}
ClickJacking issue with Studio loading the HTML editor contents. Occurs with default edX course or any other courses HTML components.Version: open-release/ficus.master
edxapp@ip-172-31-30-95:~/edx-platform$ git branch -vmaster c8accbc30e Merge pull request #15131 from edx/nedbat/help-tokens-from-pypi* open-release/ficus.master ef1065178a Move matplotlib to post requirements.
After installing the latest Native install of Ficus it appears that when editing an HTML component within the TinyMCE Editor and clicking the HTML button to pull up the HTML code the following Javascript error is displayed.
Zach