X-Frame-Options set to sameorigin

[andredebuisne]

Hi! When trying to view Wetty in an iframe, Chrome says: Refused to display 'https://XXXX:3000/wetty' in a frame because it set 'X-Frame-Options' to 'sameorigin.

I have tried to use helmet to configure this, in src/server/server.ts :

//...
11 import * as frameguard from 'frameguard';
//...
58 .use(helmet({frameguard: {action : 'allow-from', domain : 'XXXX'}}))
//...

This does not seem to work, as I still get the same error message. Do you have any idea how to fix this?

[antonyjim]

If you are serving the parent page over a different port, you will receive that error. SAMEORIGIN is defined by having the same protocol, subdomain, domain and port. (https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy for more info) I am able to serve Wetty in an iframe using these headers

 Server: nginx
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Powered-By: Express
X-XSS-Protections: 1; mode=block

using the same protocol (https), subdomain and port. I am using NGINX as a proxy on export port 443 for my node app running locally on port 8020 and Wetty on port 3000.

[butlerx]

it is now possible to embed wetty by disabling xss protections by passing the flag --bypasshelmet

[kopax]

it is now possible to embed wetty by disabling xss protections by passing the flag --bypasshelmet

Hi @butlerx I don't see the ENVIRONMENT VARIABLE --bypasshelmet here : https://butlerx.github.io/wetty/#/atoz?id=system-environment-variables

I use convention over configuration and docker, any clue how I can disable xss protection?

Thanks for sharing !