iFrame Editor injected with wrong domain

  • Resolved Kevin Pfeifer

    (@beardcat)


    6 months ago

    We have a website running with multiple TLD’s setup via WPML and are running in a problem, where Elementor Editor only works for the “main” TLD but not any other TLD.

    The reason for that is the fact, that Elementor always uses the “main TLD” as the iFrame src.

    https://screenshot.sunlime.at/b11c3f8ae439c02e5b33aa880cd2fa87.webp

    If you then combine that with a

    x-frame-options: SAMEORIGIN

    HTTP Header, it results in 

    Refused to display 'https://www.bretanide.at/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

    Uncaught SecurityError: Failed to read a named property 'elementorFrontend' from 'Window': Blocked a frame with origin "https://www.bretanide.hr" from accessing a cross-origin frame.

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter Kevin Pfeifer

    (@beardcat)

    6 months ago

    We are on
    WordPress 6.8.3
    Elementor 3.33.2
    Elementor Pro 3.33.1
    WPML 4.8.6 
    PHP 8.2.18

    Plugin Support Milos

    (@miloss84)

    6 months ago

    Hi,

    Since you are an Elementor Pro user, you can open a support ticket at my.elementor.com ref: https://elementor.com/help/how-to-submit-a-support-ticket/ I’d also suggest you check out Elementor Community Group on Facebook.

    We have created it to connect Elementor users together and share knowledge, Global Elementor Community.

    ww.wp.xz.cn rules state that commercial products are not supported here.

    Thread Starter Kevin Pfeifer

    (@beardcat)

    6 months ago

    Thanks, we contacted Elementor Pro commercial support

    Thread Starter Kevin Pfeifer

    (@beardcat)

    5 months, 4 weeks ago

    To follow up on anyone who encounters this problem as well:

    Elementor Pro ALWAYS uses the domain, which is registered to the license. Therefore, elementor is NOT multi TLD setup compatible (like you can do with WPML or WordPress Multisite)

    I have to add, that this only is a problem if you add recommended HTTP XSS Headers like these where this kind of problem appears:

    strict-transport-security: max-age=15552000;
    x-xss-protection: 1; mode=block
    x-content-type-options: nosniff
    referrer-policy: same-origin
    x-robots-tag: none
    x-frame-options: SAMEORIGIN

    We had to remove those security recommended headers to get it to work again.

Viewing 4 replies - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.