Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iframe on homarr stoped working in a new version #375

Closed
KotletJB opened this issue Mar 18, 2024 · 5 comments
Closed

iframe on homarr stoped working in a new version #375

KotletJB opened this issue Mar 18, 2024 · 5 comments

Comments

@KotletJB
Copy link

Describe the bug

iframe on homarr stoped working i new version
image

Expected behavior

A clear and concise description of what you expected to happen.

working iframe
Zrzut ekranu 2024-03-02 014942

Additional context

Please paste the docker-compose file you're using to host YourSpotify and their logs (you can skip mongo logs). If your issue have anything related to other tools, please paste their config too.

Zrzut ekranu 2024-03-18 232515
throwing web server 304

Screenshots

If applicable, add screenshots to help explain your problem.

Shared link

If you don't mind, you can add a Shared link to this issue by clicking Share this page on your YourSpotify application so that I can identify the issue quicker.
@KotletJB KotletJB changed the title iframe on homarr stoped working i new version iframe on homarr stoped working in a new version Mar 18, 2024
@Yooooomi
Copy link
Owner

Hello, yes this is intentional. Several security issues have been addressed. One possible thing would be to enable iframe through an environment variable. But keep in mind that being able to display a website in an iframe makes it vulnerable to clickjacking.

@KotletJB
Copy link
Author

okey, so how can I do this I try CORS variable but it is not working. Also I am using this in my home lab that is isn’t opened to internet, so security is not i my consents .

@Yooooomi
Copy link
Owner

I'll work on something to deactivate the frame security you'll be able to use.

@RagingCactus
Copy link
Contributor

Just to clarify for other readers: As the person who reported the recent security issues, just allowing single origins you control using the new FRAME_ANCESTORS variable is absolutely fine and secure, as you can trust the origins you control. I just want to encourage everyone to only allow specific origins instead of falling back to allowing all by default. You can also enter multiple origins or even wildcards such as *.my-home-apps.example.com if you need to.

But keep in mind that now or in the very near future, browser security measures might still break YourSpotify when it is displayed in an iframe if the framing site and the framed site are not in a same-site relationship (with same-site roughly meaning being served on different subdomains of the same domain). In that case, there is very little that can be done without changing the whole authentication process, and even then it can become quite difficult.

Also, it is not possible to log in to YourSpotify while it is displayed in an iframe. There is nothing that can be done about that, as Spotify itself does not allow its login to be displayed in a frame, again, for security reasons.

@KotletJB
Copy link
Author

KotletJB commented Mar 23, 2024
edited
Loading

Thanks, works like a charm
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@RagingCactus @Yooooomi @KotletJB