cockpit-project / cockpit

Cockpit is a web-based graphical interface for servers.
http://www.cockpit-project.org/
GNU Lesser General Public License v2.1
11.23k stars 1.11k forks source link

cockpit.conf origins not allowing iframe embed #19834

Open red4dj opened 9 months ago

red4dj commented 9 months ago

Explain what happens

Hi, I have cockpit set up in an iframe on my server dashboard but cross-origin is getting in the way.

https://mysite.com has an iframe pointing to https://192.168.0.2:9090

Updated my cockpit.conf to the following:

[WebService]
Origins = https://mysite.com

I get a blocked connection and a server error if I attempt to open it directly (as is somewhat expected).

So, I updated my cockpit.conf to this:

[WebService]
Origins = https://192.168.0.2:9090 https://mysite.com

From what I understand, this should work, but I still get a blocked connection.

The cross-origin policy when I login directly (https://192.168.0.2:9090) is:

default-src 'self'; connect-src wss://192.168.0.2:9090 'self'; form-action 'self'; base-uri 'self'; object-src 'none'; font-src 'self' data:; img-src 'self' data:; block-all-mixed-content

The cross-origin policy given when loaded in the iframe (via https://mysite.com) is:

connect-src 'self' https://192.168.0.2:9090 wss://192.168.0.2:9090; form-action 'self' https://192.168.0.2:9090; base-uri 'self' https://192.168.0.2:9090; object-src 'none'; font-src 'self' https://192.168.0.2:9090 data:; img-src 'self' https://192.168.0.2:9090 data:; block-all-mixed-content; default-src 'self' https://192.168.0.2:9090 'unsafe-inline'

I know the cockpit.conf is loading properly because the other settings in there (LoginTitle, LoginTo, etc.) work properly.

Thanks!

Version of Cockpit

308-1~bpo12+1

Where is the problem in Cockpit?

Networking

Server operating system

Debian

Server operating system version

6.1.69

What browsers are you using?

Chrome

System log

Jan 10 20:29:02 terastation-1 cockpit-tls[3715]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jan 10 20:29:09 terastation-1 sudo[4598]: pam_unix(sudo:session): session closed for user root
Jan 10 20:29:10 terastation-1 sudo[4703]:   ****** : TTY=pts/0 ; PWD=/home/****** ; USER=root ; COMMAND=/usr/bin/journalctl --since -1m
Jan 10 20:29:10 terastation-1 sudo[4703]: pam_unix(sudo:session): session opened for user root(uid=0) by ******(uid=1000)
steeldomejeff commented 9 months ago

I have the same problem. No matter what the 'Origins =' value in cockpit.conf is set to, appears to apply X-Frame-Options = sameorigin. Can anyone confirm this is actually a bug or did the handler change in someway?