Log into wordpress accounts within iframe

Just to be clear what I’m doing. In functions.php:

	if ( is_page(6422) ) {
		print "Special login page";
		remove_action( 'login_init', 'send_frame_options_header', 10, 0 );
		remove_action( 'admin_init', 'send_frame_options_header', 10, 0 );
	}

inside a function called on the login page. I know this is being called because I get the “special login page” message at the top.

If I look at the header of that page when loaded into the iframe I see:

Referrer Policy: strict-origin-when-cross-origin
sec-fetch-site: cross-site

I’m also hooked wp_authenticate to output remove the actions when login is called.

function try_remove_headers( $user_login, $user_password ) {
	remove_action( 'login_init', 'send_frame_options_header', 10, 0  );
	remove_action( 'admin_init', 'send_frame_options_header', 10, 0  );
	print "login: $user_login";   
	print "pass: $user_password";   
	
	die("oops");
}

When I call this page and submit it outside of the frame, I get the die and the username and password outputting to the screen, meaning that this function is being called.

When using the login form from the iframe with that code in Chrome, I just get a “failed to connect error”. On Firefox I more a more helpful error message linking to https://support.mozilla.org/en-US/kb/xframe-neterror-page which suggests their is still some cross site protection going on.

I also found this: https://stackoverflow.com/questions/47383874/how-does-wordpress-restrict-x-frame-to-sameorigin which might be more of a clue, but adding the comments to my .htaccess doesn’t work either.

:/

Thanks for the help so far. I guess this could be something to do with my hosting, but it’s hard to debug when you don’t really understand how the cross site protection stuff is working 😀



Source link