[QUESTION] Could we get a more noob-friendly documentation section of the X-Frame-Options: ALLOWORIGIN docs?

[JPDucky]

Question

I'm gonna try and frame this from the reference of the beginner, as that's what I am (I think), and I think the docs assume the reader has more of a fundamental understanding than they may actually have. I would also like to add that I have not yet been able to get this to work, and I have been trying for some time now, so hopefully someone can swoop in and save us normies that are still a little green.

The issue pertaining to my discussion surrounds that of the pop-up modal/workspace view not being able to display due to the X-Frame-Options: ALLOWORIGIN not being passed or set correctly (I think). I am using the docker container, as I was unable to build the app from source because I had an issue setting up the environment, which may be more related to the distro I'm using.

Part 1

The first thing I came across when trying to troubleshoot this was the docs, where it says :

Refused to Connect in Modal or Workspace View#

This is not an issue with Dashy, but instead caused by the target app preventing direct access through embedded elements.

As defined in [RFC-7034](https://datatracker.ietf.org/doc/html/rfc7034), for any web content to be accessed through an embedded element, it must have the [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) HTTP header set to ALLOW. If you are getting a Refused to Connect error then this header is set to DENY (or SAMEORIGIN and it's on a different host). Thankfully, for self-hosted services, it is easy to set these headers.

These settings are usually set in the config file for the web server that's hosting the target application, here are some examples of how to enable cross-origin access with common web servers: 

So my first thought was to try and see what webserver dashy was running on. I had a little bit of trouble at first figuring that out, but I am assuming now it runs on express.js. I couldn't figure out how to add the X-Frame-Options: ALLOWORIGIN bit to that server, as the docs mention NGINX, Caddy, Apache, and LightHttpd. So I tried spinning up both nginx and nginx proxy manager, and no matter what set of configurations I threw at it, including setting the X-Frame-Options and a wide open CORS config, I cannot seem to get a proper configuration up and working.

I also tried adding webServer: headers: X-Frame-Options: ALLOWORIGIN to the conf.yaml file with no luck either.

One thing I will note, is that sometimes the Response Headers X-Frame-Options will come back with ALLOWORIGIN, sometimes deny, even though I have seemingly set them to be ALLOWORIGIN, in the config, and further still sometimes they will refuse to display even when coming back with ALLOWORIGIN. I could not even begin to tell you why that is.

---

Part 2

What I am asking for here is for the docs to be updated to explain some of the more elementary steps involved in resolving this, as from the perspective a beginner that has just spun up a docker container, getting this error and trying to figure out what in the world is going on is a bit daunting, never-mind even resolving the issue (I still have not, will keep trying). If you could explain whether or not these settings need to be applied inside the docker container somewhere, outside it, or both, and where, etc., As resources surrounding the topic are a bit scant.

---

I will keep looking for a way to solve this on my own in the meantime, and update this feed as I learn what I messed up on to try and shed some light for others that may be stuck in my same conundrum.

This has been tried from multiple machines, both locally and remote, from LAN and from WAN, all on the docker container.

Please let me know if there is anything I can provide to help troubleshoot.

Cheers.

Category

Documentation

Please tick the boxes

• You are using a supported version of Dashy (check the first two digits of the version number)
• You've checked that this question hasn't already been raised
• You've checked the docs and troubleshooting guide
• You agree to the code of conduct

[liss-bot]

If you're enjoying Dashy, consider dropping us a ⭐
_{🤖 I'm a bot, and this message was automated}

[liss-bot]

This issue has gone 6 weeks without an update. To keep the ticket open, please indicate that it is still relevant in a comment below. Otherwise it will be closed in 5 working days.

[liss-bot]

This issue was automatically closed because it has been stalled for over 6 weeks with no activity.

[tuxpowered]

IFRAMES do not work on all sites, the site has to allow remotes (e.g: you) to embedded the page in a different website. This obviously can be bad, think of a fakebank.com doing a full iframe around chase.com with a little custome js to steal the content.

This validity is actually checked by your browser ironicly.
You can get a browser plugin such as https://addons.mozilla.org/fr/firefox/addon/ignore-x-frame-options-header/ that can let you "Ignore X-IFrame".

I needed to do this to view several managed systems to make them display in an iframe (like the workspaces). Hope that helps someone.

Ignore X-Frame-Options Header – Adoptez cette extension pour 🦊 Firefox (fr)

Télécharger Ignore X-Frame-Options Header pour Firefox. Allows all sites to be loaded in iframes, despite X-Frame-Options header settings.