alexjustesen / speedtest-tracker

Speedtest Tracker is a self-hosted application that monitors the performance and uptime of your internet connection.
https://speedtest-tracker.dev/
MIT License
2.95k stars 108 forks source link

disable login to set iframe on tablet #752

Closed ZoXx closed 11 months ago

ZoXx commented 1 year ago

i am currently still using the old speedtesttracker from henry. This is integrated on my smarthome tablet as iframe and has the advantage that here no login is necessary.

is it planned that in your speedtesttracker the login is omitted. then this would be interesting for me. the login is not needed.

alexjustesen commented 1 year ago

Feature is planned to move the dashboard out of being behind authentication...

IMO setting and such should remain behind it.

toxic0berliner commented 1 year ago

I also need this, I have authelia in front and don't care to remember yet another username/password for something like this that doesn't seem critical in any way for me. The documentation speaks of an AUTH env var but it has no effect as of now. Hope this gets changed

alexjustesen commented 1 year ago

The documentation speaks of an AUTH env var but it has no effect as of now. Hope this gets changed

Can you link to where this is in the docs? Any reference to the old AUTH variable that didn't do anything should of been removed.

toxic0berliner commented 1 year ago

It's nowhere on your site or repo, I might have found it on someone else's repo whk gave a compose file for this

ZoXx commented 1 year ago

How to link the public dashboard?

ZoXx commented 1 year ago

I mean if i set an iframe on tablet there is error "has refused the connection."

ZoXx commented 1 year ago

Error via Chrome: Refused to display XXXXX in a frame because it set 'X-Frame-Options' to 'sameorigin'.

ZoXx commented 1 year ago

Any news here. Would be nice to use this docker for my projects.

alexjustesen commented 1 year ago

Missed doing this: https://laravel.com/docs/10.x/csrf#csrf-excluding-uris

ZoXx commented 1 year ago

So it will be with the next release possible? :)

alexjustesen commented 1 year ago

So it will be with the next release possible? :)

maybe

ZoXx commented 1 year ago

Good morning :) Update was done, but next error messages are here:

Refused to display 'XXXX' in a frame because it set multiple 'X-Frame-Options' headers with conflicting values ('ALLOW-FROM SAMEORIGIN, SAMEORIGIN'). Falling back to 'deny'

Unchecked runtime.lastError: A listener indicated an asynchronous response by returning true, but the message channel closed before a response was received

alexjustesen commented 1 year ago

It's just happening on / and not any other URL right?

ZoXx commented 1 year ago

I have the Docker running on my Nas server. My iobroker docker is also running there. the iframe is embedded in the vis (same ip address).

Embedded via iframe with the url: http://192.168.178.2:5008

alexjustesen commented 1 year ago

v0.13.3 tagged and building, this should fix the duplicate SAMEORIGIN that was causing the issue

ZoXx commented 1 year ago

Nope :(

Refused to display 'http://192.168.178.2:5008/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

Unchecked runtime.lastError: A listener indicated an asynchronous response by returning true, but the message channel closed before a response was received

alexjustesen commented 1 year ago

It was in the PR as I haven't been able to update the docs yet but you'll need to set ALLOW_EMBEDS= to the domain your embedding in. Then it should work.

ZoXx commented 1 year ago

There are no settings for this in iobroker. Other iframes, websites etc run perfectly.

alexjustesen commented 1 year ago

There are no settings for this in iobroker. Other iframes, websites etc run perfectly.

What's iobroker

ZoXx commented 1 year ago

https://hub.docker.com/r/buanet/iobroker

But that is not the problem. The problem is the iframe from speedtest.

alexjustesen commented 1 year ago

In speedtest tracker did you pass ALLOW_EMBEDS=http://192.168.178.2 or with whatever your iobroker url is?

ZoXx commented 1 year ago

Here are my settings. image image image

marky421 commented 1 year ago

I am also getting this X-Frame-Options error. I use Nginx Proxy Manager to access speedtest-tracker via https://speedtest.mydomain.com, but now I am trying to integrate with Organizr as an iFrame tab pointing to my speedtest subdomain similar to what I have configured for Plex, Sonarr, Radarr, etc. I have tried setting ALLOW_EMBEDs=http://<IP of Organizr host> and I have also tried setting APP_URL=https://speedtest.mydomain.com but neither seem to have any affect. I don't have any issues opening https://speedtest.mydomain.com, it's only when I try opening it via an iFrame in Organizr that the X-Frame-Option error occurs.

For what it's worth, both speedtest-tracker and Organizr are running on the same docker host.

marky421 commented 12 months ago

I was looking at this again today and while it still isn't working for me, I'm getting a slightly different error now:

Refused to display 'https://speedtest.mydomain.io/' in a frame because it set multiple 'X-Frame-Options' headers with conflicting values ('ALLOW-FROM https://organizr.mydomain.io/, SAMEORIGIN'). Falling back to 'deny'.

alexjustesen commented 12 months ago

I'm wondering if nginx is sending another header too, moving on from time zones so back to this later this week.

alexjustesen commented 11 months ago

If someone can give iframe a test again #1002 and #1003 should fix the issue, worked within my home lab for me. You'll need to pull the latest :dev release to test it.

Note: With how polling and filters are currently handled you might get a "page expired" error, I'm aware of that and will have a fix soon.

marky421 commented 11 months ago

I was able to test this with the latest :dev release and it is now loading the page for me, but there is still an error being logged to the console regarding the X-Frame-Options:

Invalid 'X-Frame-Options' header encountered when loading 'https://speedtest.mydomain.io/': 'ALLOW-FROM https://organizr.mydomain.io/' is not a recognized directive. The header will be ignored.

Apparently the ALLOW-FROM directive is considered obsolete: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options#allow-from_origin

Everthing does appear to be working as expected, but I'm not not sure if I should be worried about this error.

alexjustesen commented 11 months ago

You can probably ignore it for now, I know I need to replace it with content policy at some point but most browsers still support it. Now that this is "working" minus the big closing this issue..

alexjustesen commented 11 months ago

1019 fixes the expired page warning, will be included in the next release.