Portainer and x-frame


(David Williams) #1

Hi there,

I’m getting an error trying to use Portainer in an iFrame.

In chrome it’s just blank but in Edge I get this error displayed:

image

I also think it’s something to do with the x-frame-options detailed here: https://github.com/portainer/portainer/issues/2279

My Caddyfile looks like this:

my-domain.duckdns.org {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
}
    proxy / localhost:8123 {
        websocket
        transparent
    }
}

portainer.my-domain.duckdns.org {
    proxy / localhost:9000 {
        websocket
        transparent
    }
}

I can load portainer via https://portainer.my-domain.duckdns.org:xxxxx just not in a frame.

Anyone have a suggestion?


(Matthew Fay) #2

Yeah, the X-Frame-Options header will cause that issue, but I don’t think it’s your header that’s doing it. It’s the one coming from Portainer itself, which you’re proxying to.

From the linked issue, it looks like Portainer sends X-Frame-Options: deny, which completely disallows iframes. The suggestion is made to use proxy_hide_header X-Frame-Options;, for which Caddy has an equivalent you can add to your proxy directive for Portainer: header_downstream -X-Frame-Options.

https://caddyserver.com/docs/proxy


(David Williams) #3

Are you able to show me how to do that? Looked at the doc but it’s not clear to me what I should do.


(Matthew Fay) #4

Have a look at the advanced syntax section, where it shows the form of the directive with the braced block ( { and } ) and the subdirectives inside.

header_downstream is one of the subdirectives listed there. Put it inside the brace block, similarly to the subdirectives in the examples:

https://caddyserver.com/docs/proxy#examples


(David Williams) #5

So…

my-domain.duckdns.org {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
}
    proxy / localhost:8123 {
        websocket
        transparent
    }
}

portainer.my-domain.duckdns.org {
    proxy / localhost:9000 {
        websocket
        transparent
        header_downstream -X-Frame-Options
    }
}

Is that all or is it in the right place?

EDIT: OK I did that and it fixed it.


(Matthew Fay) #6

Looks good to me, give it a shot and see what happens.