Embed webmailer into another website

Question

Embed webmailer into another website

Opened this issue 3 years ago · 7 comments

Hi all,

can you help me to embedd the webmailer into another website.
Currently I got the following error:

chromewebdata/:1
Refused to display 'https://mail.****.de/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

I think its related to Cross-Origin Resource Sharing (CORS).

Can you give me an hint to add the embeding site domain to cors allow list?

Best regards,
Jonas

Answer 1 · 2021-11-12T10:39:07.000Z

currently returned Referrer Policy: strict-origin-when-cross-origin

Answer 2 · 2021-11-12T17:33:10.000Z

Maybe in /srv/modoboa/instance/instance/settings.py under line # Security Settings:
Change line X_FRAME_OPTIONS = "SAMEORIGIN" to what ever you need?

Answer 3 · 2021-11-12T17:47:16.000Z

No this will not work. Need to change the nginx configuration. Any hints where to find it?

Answer 4 · 2021-11-12T17:55:36.000Z

I found it under /etc/nginx/sites-available... lets see...

Answer 5 · 2021-11-12T20:16:16.000Z

also not working... can't change Referrer Policy and also not X-Frame-Options. Please help!

Answer 6 · 2021-11-12T21:02:44.000Z

so the correct config file is /etc/nginx/sites-enabled/mail.mydomain.de.conf

But
add_header 'X-Frame-Option' 'ALLOW-FROM domain.com'
did not work. Because somewhere else already the header set to "sameorigin". So it will be conflicted.

Currently my solution is to use the newer header 'Content-Security-Policy' (only works in modern browsers):

Here my solution (DO NOT USE IN PRODUCTION)

add_header 'Referrer-Policy' 'unsafe-url';
add_header 'Content-Security-Policy' 'frame-ancestors domain.com http://localhost:8080';

Answer 7 · 2021-11-12T23:35:11.000Z

It's working for the start page. But the /login still not working:

Refused to display 'https://mail.mydomain.de/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.