Open whattheschnell opened 3 years ago
ameshkov
commented
3 years ago Could you please check what's going on in the Network panel in Chrome dev tools?
There should be a request that POSTs login/password to /control/login, do you see it there?
whattheschnell
commented
3 years ago Yes, but it didn't receive a response:
ameshkov
commented
3 years ago Hm, weird. Could you please check if the request is sent to the proper host? Also, even when there's no response data, the browser should show at least some status.
whattheschnell
commented
3 years ago I made a mistake. It DID send a response. However, no request cookies were sent:
whattheschnell
commented
3 years ago 
ameshkov
commented
3 years ago Well, here we go, third-party cookies are soon to be completely blocked, and iframe seems to be considered a third-party context. Also, using SameSite Secure won't work since it requires HTTPS. I am not sure this can generally be fixed, you may need to always sign in in a first-party context.
The only thing we can do - detect that AGH is inside a cross-site iframe and alert about this.
whattheschnell
commented
3 years ago I could do HTTPS, but there is no reason for my use case to get AGH through the reverse proxy, sign certs, and do cross-site that way. Is there a way to make use of the fact that they are on the same subnet?
ameshkov
commented
3 years ago Is there a way to make use of the fact that they are on the same subnet?
If I am not mistaken, you can choose to allow third-party cookies for it in Chrome.
makerph
commented
3 years ago I encounter the same issue did anyone mange to have a work around on this?
whattheschnell
commented
3 years ago I did with enabling HTTPS with subdomain name and the reverse proxy.
Its a bad a solution for people who only want to access this locally, but it works.
makerph
commented
3 years ago how to do it? Sorry I'm new to this. thanks
kennethpangky
commented
2 years ago Having the same issue as well. Not iOS related, can't do it even on desktop Chrome.
It shows the login screen, then after entering the details, it redirects back to the login screen.
aliekiddo
commented
2 years ago I've been having this issue too for a very long time. I used to be able to log into AdGuard on an older version of HA but I could never get it working again after I had to do a reinstall and re-setup.
NoAdO
commented
2 years ago Same issue, w8 for solution for a long time
sanderlv
commented
1 year ago Still having this issue with latest version of Homeassitant an latest version of adguard. I am NOT using an addon, but 2 standalone adguard installed servers. Logging in via the "normal webinterface" works fine, when opened from within iframe_panel (via https) is shows the login page but after entering credentials, nothing happens.
sanderlv
commented
1 year ago BUMP -
ameshkov
commented
1 year ago @sanderlv could it be the same issue as here: https://github.com/AdguardTeam/AdGuardHome/issues/2783#issuecomment-793131452?
Please check the comments in the issue, could it be that you're facing the case with an iframe that's loaded in a third-party context?
@ainar-g I generally do not see any issue with setting SameSite to None and just solving this issue at least for now.
sanderlv
commented
1 year ago Not sure what you mean. You point back to this same issue. I have 2 adguard servers behing reverse proxy and full certificates (valid). All works fine but not within an iframe (homeassistant).
ainar-g
commented
1 year ago @ameshkov, I'd rather not do that, at least not by default, for fear of CSRF. We could add an option for that, but again, that would only work with Secure cookies over HTTPS.
ameshkov
commented
1 year ago Well, okay, but that's the only thing we can do.
For now we should advise people to use something like Nginx and rewrite Set-Cookie header's SameSite policy. https://serverfault.com/questions/849888/add-samesite-to-cookies-using-nginx-as-reverse-proxy
aliekiddo
commented
1 year ago Do what to what now?
ameshkov
commented
1 year ago The issue may occur if AdGuard Home is opened inside of an iframe and the iframe source is third-party to the parent website's host. It happens because the session cookie is restricted to be set in first-party context, and in this iframe configuration the context is considered third-party.
Set-Cookie header and add the SameSite=None policy: example with nginx.sanderlv
commented
1 year ago Cant get it working... using this:
location / {
proxy_cookie_path ~^/(.+)$ "/$1; SameSite=none";
}I then get:
And another combination is not even accepted by nginx:
server {
server_name adguard-01.mydomain.com;
location / {
proxy_pass http://backend.int/;
proxy_cookie_path ~^/(.+)$ "/$1; SameSite=none";
}
}
UPDATE ON THE ISSUE: Please check out the issue description and solutions here: https://github.com/AdguardTeam/AdGuardHome/issues/2783#issuecomment-1512610995
Have a question or an idea? Please search it on our forum to make sure it was not yet asked. If you cannot find what you had in mind, please submit it here.
Prerequisites
Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.
Issue Details
Expected Behavior
I'm running AdguardHome in Docker through UnRaid. Trying to load iframe through a docker front end organizer (DashAssistant) AdGuard Home UI set up as an iFrame panel. Acces through Chrome on Windows 10. The iFrame should load the site, allow login, and full access to the complete UI.
Actual Behavior
Everything works correctly when HA is launched in a computer web browser. However, after attempting to log on, you are returned to the login screen. No message is generated saying invalid credentials, but if bad credentials are used, that message is displayed. This only happens in the iFrame configuration , going directly to the AdGuard Home web interface works as expected.
Screenshots
Screenshot:
Additional Information
See other iframe issue. This is not specific to Home Assistant however. https://github.com/AdguardTeam/AdGuardHome/issues/1767