Formbuilder Forms are blocked ERR_BLOCKED_BY_RESPONSE

[joe_ma]

Hi everybody

On site where I use a form built with formbuilder that worked just fine until very recently. I use the embed option A (easy embed) where you simply put a tag in the text, where you want to show the form.

All of a sudden, the form isn't displayed any more. Instead ther is the blocked-by-response error or a similar message.

How can this be fixed?

Thank you for help.

[netcarver]

Have you adjusted the site's CSP or CORS settings?

[joe_ma]

6 minutes ago, netcarver said:

Have you adjusted the site's CSP or CORS settings?

So far I haven't done anything. Where ore how do I adjust these?

[BitPoet]

You should be able to see more details in the browser's developer console telling you why exactly your browser thinks it mustn't display that part. If the messages in the error console don't give you a clue, you should inspect what happens over the network in your developer console. The most likely explanation for that behavior outside of CSP/CORS headers would be that PW for some reason uses a different domain or http vs. https in the request for the form contents in the embedded iframe.

[netcarver]

24 minutes ago, joe_ma said:

So far I haven't done anything. Where ore how do I adjust these?

So it probably isn't this then, but for reference these are set either in headers returned by the server, or sometimes in HTML in the head section of your page.  Headers come either from PHP or from the Apache2 set up - in the .htaccess or apache config files.

[joe_ma]

It says:

Quote

Refused to display 'https://www.domain.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

But It certainly IS the same origin, as the form was built within the same pw site.

[netcarver]

The same origin policy has to match on the domain, port and protocol. So the host page and the iframe source need to be https, on port 443 (by default) on www.domain.com

For reference: and only if you actually need to add an exception to the X-Frame-Options header, you'll probably need to edit the root .htaccess file in your pw install to allow it.

[joe_ma]

But to me that seems to be the case. I don't see any difference.

Site: https://domain.com
Form: https://domain.com/form-builder/form/

[netcarver]

I know it's a little counter intuitive, but domain.com !== www.domain.com => not the same origin.

Yet it sounds like your server headers are explicitly telling the browser not to load an iframe if it doesn't come from the same origin.

[netcarver]

Simplest way to test is to edit your root .htaccess in the PW install directory and comment out the X-Frame-Options line (just start the line with a hash character '#') and save the .htaccess file, then clear cache and reload the page in your browser. If it works, then this is the issue and you'll either need to add an exception to the .htaccess to allow frame loading from www.domain.com or re-add the line and fix this a different way to ensure the source and iframe both load from domain.com (or both load from www.domain.com)

[joe_ma]

OK; when this is commented out, the form is displayed.

The console throws another error though:

Quote

Uncaught DOMException: Permission denied to access property "document" on cross-origin object

regarding two lines in formbuilder.js that are dealing with the size of the viewport.

[joe_ma]

Quote

I know it's a little counter intuitive, but domain.com !== www.domain.com => not the same origin

Oh, I see! There is a difference indeed. The site is https://domain.com and the form gets loaded from https://www.domain.com. When I add the www for the site, the form is displayed.

So I set htacces rewrite to always use https://domain.com without www.

It looks, like it should work.

Thank you very much for your help!