NUI should remove X-Frame-Options/Content-Security-Policy frame-ancestors

citizenfx / fivem

The source code for the Cfx.re modification frameworks, such as FiveM, RedM and LibertyM, as well as FXServer.

https://cfx.re/

3.48k stars 2.06k forks source link

NUI should remove X-Frame-Options/Content-Security-Policy frame-ancestors #942

Open blattersturm opened 3 years ago

blattersturm commented 3 years ago

https://forum.cfx.re/t/embeds-of-twitch-tv-not-working/4748703

Since NUI is loading everything in an iframe, and we don't want to explicitly expose implementation details for this state, people can't load sites that use 'clickjacking protection' in NUI.

Since NUI loads all servers' state in an isolated context, and users would be extremely silly+unlikely to grant any privileged cookies/etc. to a server's NUI page, it may be workable to remove/patch these headers in a request filter.

phumberdroz commented 2 years ago

This would be nice to see. I am currently hitting this.

phumberdroz commented 2 years ago

Okay I was able to solve this today.

I had an old fx_version set in my fxmanifest.lua when I set it fx_version 'cerulean' the url changed to https://cfx-nui-<resource_name> from nui://<resource_name> this allowed CSP headers to properly work.

blattersturm commented 2 years ago

In DUI frames, I suspect, however?

Michele-Arici commented 1 month ago

Any updates?