I have installed LimeSurvey locally, and now want to show a survey within a frame.
It works fine if the origin is the same, but otherwise shows a 401 error.
I have tried to remove the X-Frame-Options in LimeSurvey's .htaccess file (Header always unset X-Frame-Options), to no avail.

Is there a setting in LimeSurvey that I don't know of ?
How to remove this 401 error ?

FYI, here is the code of my iframe (which works fine if same origin) :

<!DOCTYPE html>
<html lang="fr">
<head>
<meta charset="UTF-8" />
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>MY TITLE</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">
<meta name="robots" content="noindex">
<link rel="shortcut icon" href="../img/favicon.ico" />
</head>
<body style="margin: 0; padding: 0;">
<iframe src="MY SURVEY URL" frameborder="0" style="display: block; background: #fff; border: none; height: 100vh; width: 100vw;"></iframe>
</body>
</html>

Hi,
You installed LimeSurvey locally on a XAMPP server?

And what is the meaning of "same origin" vs. "not same origin"?
Sorry, I do not understand that?

Is your survey activated?


Joffm

I installed LimeSurvey on a Linux (Apache) server, live.
The survey I created is NOT yet activated, so I was only previewing it.

If the iframe is "same origin" as the survey (both are on the same domain), it works.
Then if I move the iframe to a different domain, it fails.
The iframe remains unchanged, with an absolute URL that points to the survey.

The error says :

401: Unauthorized
We are sorry but you don't have permissions to do this.
You must be logged in to access to this page.

Try to activate survey 1st

github.com/LimeSurvey/LimeSurvey/blob/7a...urvey/index.php#L232

Surely a domain issue , then you are not loggued for the iframe.

After I activated the survey, another error arises : clicking on the "Next" button doesn't work !

After clicking, the mouse cursor turns briefly to 'not-allowed', and then reverts back to default, stuck on the same question group.

Therefore I asked you, if it is activated.

Well, without knowing anything about your environment, every answer is only a guess.

I just tested with your HTML and a survey on a different domain - no problem at all.

BTW: What happens if you call the LimeSurvey page " www.limesurvey.org "?

Joffm

Please find here the iframe'd and activated survey :

[ iframe'd and same domain -> pressing on 'Next' results in PHP Error [500] Undefined offset: -1 ]
lifestooeasy.com/home/fr/survey_in_frame

[ iframe'd and different domain -> clicking on the "Next" button doesn't work at all ]
pilierpublic.com/fr/survey_in_frame

[ original survey -> works fine ]
lifestooeasy.com/survey/index.php/867832?lang=fr

The best is to have same domain for iframe …

Else there are always error because Browser security disable this.
stackoverflow.com/questions/2117248/sett...ame-different-domain

But with my current Firefox it work on pilierpublic.com/fr/survey_in_frame

Hi,

I only could test your first URL, where you said "pressing on 'Next' results in PHP Error [500] Undefined offset: -1 ]"
But look, I am at the end:


For the others I get the message that I already completed the questionnaire "Vous avez déjà complété ce questionnaire".
(Did you set the IP check?)

Joffm

Thank you all for your help.

At this point I am convinced that running the iframe from a different domain won't work because of the cookies being used by LimeSurvey.
While annoying, this isn't critical for me and thus I shall run the survey from the same domain.

Joffm : yes, I had enabled IP check (an oversight considering the test being run)

There is probably a bug report to be filed, because application/config/config-defaults.php contains a string that is supposed to enable what I was looking for :

/**
* Sets if any part of LimeSUrvey may be embedded in an iframe
* Valid values are allow, sameorigin
* Default: allow
* Recommended: sameorigin
* Using 'deny' is currently not supported as it will disable the theme editor preview and probably file upload.
*/
$config = 'allow';

To be sure, I also tried optional settings ( www.limesurvey.org/manual/Optional_settings ), adding to config.php :

// Set the domain for cookie
'session'=>array(
'cookieParams'=>array(
'domain'=>'.pilierpublic.com',
),
),

That didn't change a thing. As before, cookies are being set on the other domain, as if the aforementioned settings was completely ignored.

For the future, it would be nice to offer an option that replaces cookies with URL query GET parameters (when in an iframe, these won't be seen by the user anyway) and a form's POST parameters.

@Joffm and me can goes to the survey on 2 different domain …

My firefox is the last one with support.mozilla.org/en-US/kb/content-blocking at strict + ublock origin + Privacy badger.

Then if you have an issue : it's your old browser who don't understand Cross domain policy : developer.mozilla.org/en-US/docs/Web/HTTP/CORS

For the record, I ran all my tests with the latest version of Chrome.