<application> does not work in iframe
rmountjoy92 opened this issue · 4 comments
You will notice that DashMachine's iframe option only works with certain apps. Here is the explanation: https://stackoverflow.com/questions/6663244/cant-show-some-websites-in-iframe-tag
If someone finds out a way around this, please let me know or submit a PR.
This really needs to be done using the reverse proxy or the application itself.
The X-Frame-Options header needs to exist, and set the value to something like, “ALLOW-FROM http://xxx.xx” in the HTTP response.
If you're using Traefik, you will add a traefik flag - I'm using docker compose, and I have something like this (the last label is important):
labels:
- "traefik.enable=true"
- "traefik.http.routers.ouroboros.rule=Host(`ouroboros.example.com`,`ouroboros`)"
- "traefik.http.middlewares.ouroboros.headers.customrequestheaders.customFrameOptionsValue=ALLOW"
In nginx, I think it's the site (or default) option
proxy_hide_header X-Frame-Options;
People should be aware that this configuration is less secure than the default configurations.
Just so people are aware, the directive allow-from from the header X-Frame-Options is obsolete.
The new way is using the directive frame-ancestors in the header Content-Security-Policy.
Unless you need to support legacy browsers this is the new way that should be used to allow iframe loading in other domains.
@mmarquezs thanks for the info, is there anything I need do on DashMachine's side?
No, as you said this is something that requires a change on the original application or that can be fixed on the reverse proxy, So unless you add you own reverse proxy to DashMachines there is nothing to do.
I just wanted to add the extra info just in case the other directive doesn't work for some browsers due to being obsolete.