Closed KotletJB closed 6 months ago
Yooooomi
commented
6 months ago Hello, yes this is intentional. Several security issues have been addressed. One possible thing would be to enable iframe through an environment variable. But keep in mind that being able to display a website in an iframe makes it vulnerable to clickjacking.
KotletJB
commented
6 months ago okey, so how can I do this I try CORS variable but it is not working. Also I am using this in my home lab that is isn’t opened to internet, so security is not i my consents .
Yooooomi
commented
6 months ago I'll work on something to deactivate the frame security you'll be able to use.
RagingCactus
commented
6 months ago Just to clarify for other readers: As the person who reported the recent security issues, just allowing single origins you control using the new FRAME_ANCESTORS variable is absolutely fine and secure, as you can trust the origins you control. I just want to encourage everyone to only allow specific origins instead of falling back to allowing all by default. You can also enter multiple origins or even wildcards such as *.my-home-apps.example.com if you need to.
But keep in mind that now or in the very near future, browser security measures might still break YourSpotify when it is displayed in an iframe if the framing site and the framed site are not in a same-site relationship (with same-site roughly meaning being served on different subdomains of the same domain). In that case, there is very little that can be done without changing the whole authentication process, and even then it can become quite difficult.
Also, it is not possible to log in to YourSpotify while it is displayed in an iframe. There is nothing that can be done about that, as Spotify itself does not allow its login to be displayed in a frame, again, for security reasons.
KotletJB
commented
6 months ago Thanks, works like a charm
Describe the bug
iframe on homarr stoped working i new version
Expected behavior
A clear and concise description of what you expected to happen.
working iframe
Additional context
Please paste the docker-compose file you're using to host YourSpotify and their logs (you can skip mongo logs). If your issue have anything related to other tools, please paste their config too.
Screenshots
If applicable, add screenshots to help explain your problem.
Shared link
If you don't mind, you can add a Shared link to this issue by clicking Share this page on your YourSpotify application so that I can identify the issue quicker.