⚠️ Embedding the public dashboard - BREAKING CHANGE

[alexjustesen]

⚠️ Breaking change

For those embedding their Speedtest Tracker public dashboards as of 0.14.2 this will be broken and stop functioning. TL;DR: Not secure, don't like that.

📜 Description

As of v0.14.1 embedding the public dashboard into something like Home Assistant's dashboard or using an iframe was broken because of CORS and requiring a CSRF token to validate the request.

0.14.2-beta series tested removing CSRF protections on the dashboard. During exploration of this solution it was discovered that in Livewire, the package used to provide reactivity, there currently isn't a good way of disabling this on a specific route.

The solution was to disable CSRF protection on ALL livewire/* requests which could open an attack surface for dashboards exposed to the internet. This isn't an acceptable solution IMO.

🔗 Past linked issues

• 411

• 752

🤔 Proposed solution

Develop a new dashboard that is specifically for embedding into websites or other dashboards like Home Assistant. The dashboard should improve upon the current performance issues and not compromise security for features.

🛣️ Possible solutions

• If Livewire releases a 1st party easy way of disabling csrf on read-only requests, I'll used that https://github.com/livewire/livewire/discussions/7563
• Build a new dashboard that leverages an API instead of Livewire to update charts and metrics

🙋‍♂️ FAQs

• What's the risk in just disabling csrf?: Cross Site Request Forgery (CSRFC) provides protection against requests and actions that don't originate from the authenticated user or the application.
• Will the public dashboard keep working?: Yes, you just won't be able to embed it within another dashboard or website.
• When do you plan on bringing back embeddable dashboards?: Once I'm through fixing data issues in the next major release (v0.16.0) I'll be pivoting back to developing a secure and performant solution.

👇 I'll be tracking all research and updates in the comments below. Feel free to ask any questions or provide input.

[alexjustesen]

1027 removes code related to embedding the public dashboard.

[alexjustesen]

Design idea, the dashboard should be big and bold so KPI's, charts and data are easily readable.

Tempest weather station dashboard

[ZoXx]

any news here?

[alexjustesen]

any news here?

None yet, DQ issues need to be resolved first.

[fischerphilipp]

Not sure if this is news, but with the latest Home Assistant release (2024.4) I can simply embed the public dashboard via the new "Webpage" dashboard type. I just tried it and it works perfectly

[ZoXx]

iobroker hasnt this feature. Need still public dashboard site for seeing it.

[fischerphilipp]

Unfortunately I have to correct myself: Embedding the public dashboard works until you try to select a time interval other than the default "last 24h". If you select "last week" or "last month" you get a browser error saying "This page has expired. Would you like to refresh the page?"

[ZoXx]

Any news @alexjustesen ? 🙂

[alexjustesen]

Explore using https://wire-elements.dev/blog/embed-livewire-components-using-wire-extender