Can't make the --allow-iframe or --bypasshelmet work, still showing X-Frame-Options: SAMEORIGIN #380
Comments
|
Did this at line 23 on server/socketServer/security.ts: Tested and works fine with the --allow-iframe now :) |
|
Thanks would you be able to make this in to a pr and I can merge it |
|
It was easier than all those lines, just including the frameguard: false above. Anyways, this fix shows ok for my usage and test env (nginx in the same host as wetty is being executed). Probably defaultSrc (or frameSrc) needs to be a parameter so CSP can allow certain addresses and to avoid disabling the whole CSP. |
|
Hi Pablo, thanks for your update. I'm using wetty 2.3.0 and I can't find the security.ts file. I tried updating the security.js instead and restart the service but still getting the sameorigin output. The new Code(security.js)[root@lxutlhpocdevs03 socketServer]# wetty --version [root@lxutlhpocdevs03 socketServer]# cat security.js if (allowIframe) { }; Restarted the service[root@lxutlhpocdevs03 socketServer]# wetty --ssh-host lxutlhpocdevs02.example.com --allow-iframe --allow-remote-hosts Run the curl again[root@lxutlhpocdevs03 ~]# curl --head http://lxutlhpocdevs03.example.com:3000/wetty thanks |
#381 wasn't sufficient to me :( Only by adding this code block I can embed it on iframes
|
|
pablo-zarate and alonsomoya, thanks! it works. |
Describe the bug
Hello,
I'm trying to embed WeTTY on my apache hosted page using HTML iframe. I got a error saying refused to connect. After digging, I found out that there is a option --allow-iframe but after passing it and restarting the wetty, I still got the same error. I also tried the --bypasshelmet with the same error.
The HTTPD is listening on port 80
The WeTTY is listening on port 3000
My HTML looks like this;
<style> body { margin: 0; padding: 0; } .terminal { font-family: monospace; color: white; background: black; width: 800px; height: 500px; } </style>lxutlhpocdevs03 Console
<iframe src="http://lxutlhpocdevs03.example.com:3000/wetty" title="lxutlhpocdevs03 Console" border="1" width="800" height="500">To Reproduce
Steps to reproduce the behavior:
SERVER - First Try passing bypasshelmet
[root@lxutlhpocdevs03 wetty]# wetty --version
2.3.0
[root@lxutlhpocdevs03 wetty]# wetty --ssh-host lxutlhpocdevs02.example.com --bypasshelmet
{"base":"/wetty/","label":"Wetty","level":"info","message":"Starting server","port":3000,"timestamp":"2022-02-03T19:05:35.184Z","title":"WeTTY - The Web Terminal Emulator"}
{"connection":"http","label":"Wetty","level":"info","message":"Server started","port":3000,"timestamp":"2022-02-03T19:05:35.209Z"}
{"label":"Wetty","level":"http","message":"HEAD /wetty 200 7ms","meta":{"req":{"headers":{"accept":"/","host":"lxutlhpocdevs03.example.com:3000","user-agent":"curl/7.61.1"},"httpVersion":"1.1","method":"HEAD","originalUrl":"/wetty","query":{},"url":"/wetty"},"res":{"statusCode":200},"responseTime":7},"timestamp":"2022-02-03T19:05:46.679Z"}
CLIENT showing SAMEORIGIN with self security-policy
[s0998fue@lxutlhpocdevs03 test]$ curl --head http://lxutlhpocdevs03.example.com:3000/wetty
HTTP/1.1 200 OK
Content-Security-Policy: default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';font-src 'self' data:;connect-src 'self' ws://lxutlhpocdevs03.example.com:3000
X-DNS-Prefetch-Control: off
Expect-CT: max-age=0
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: no-referrer-when-downgrade
X-XSS-Protection: 0
Content-Type: text/html; charset=utf-8
Content-Length: 1138
ETag: W/"472-S2vHeHsLjCISBT3Di/V0rk/j5T8"
Vary: Accept-Encoding
Date: Thu, 03 Feb 2022 19:05:46 GMT
Connection: keep-alive
Keep-Alive: timeout=5
2ND TRY with --allow-iframe together with bypasshelmet
[root@lxutlhpocdevs03 wetty]# wetty --ssh-host lxutlhpocdevs02.example.com --bypasshelmet --allow-iframe
{"base":"/wetty/","label":"Wetty","level":"info","message":"Starting server","port":3000,"timestamp":"2022-02-03T19:07:20.563Z","title":"WeTTY - The Web Terminal Emulator"}
{"connection":"http","label":"Wetty","level":"info","message":"Server started","port":3000,"timestamp":"2022-02-03T19:07:20.586Z"}
{"label":"Wetty","level":"http","message":"HEAD /wetty 200 6ms","meta":{"req":{"headers":{"accept":"/","host":"lxutlhpocdevs03.example.com:3000","user-agent":"curl/7.61.1"},"httpVersion":"1.1","method":"HEAD","originalUrl":"/wetty","query":{},"url":"/wetty"},"res":{"statusCode":200},"responseTime":6},"timestamp":"2022-02-03T19:07:24.006Z"}
CLIENT still showing SAMEORIGIN
[s0998fue@lxutlhpocdevs03 test]$ curl --head http://lxutlhpocdevs03.example.com:3000/wetty
HTTP/1.1 200 OK
Content-Security-Policy: default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';font-src 'self' data:;connect-src 'self' ws://lxutlhpocdevs03.example.com:3000
X-DNS-Prefetch-Control: off
Expect-CT: max-age=0
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: no-referrer-when-downgrade
X-XSS-Protection: 0
Content-Type: text/html; charset=utf-8
Content-Length: 1138
ETag: W/"472-S2vHeHsLjCISBT3Di/V0rk/j5T8"
Vary: Accept-Encoding
Date: Thu, 03 Feb 2022 19:07:24 GMT
Connection: keep-alive
Keep-Alive: timeout=5
3RD TRY with allow-iframe only
[root@lxutlhpocdevs03 wetty]# wetty --ssh-host lxutlhpocdevs02.example.com --allow-iframe
{"base":"/wetty/","label":"Wetty","level":"info","message":"Starting server","port":3000,"timestamp":"2022-02-03T19:19:59.487Z","title":"WeTTY - The Web Terminal Emulator"}
{"connection":"http","label":"Wetty","level":"info","message":"Server started","port":3000,"timestamp":"2022-02-03T19:19:59.515Z"}
{"label":"Wetty","level":"http","message":"HEAD /wetty 200 7ms","meta":{"req":{"headers":{"accept":"/","host":"lxutlhpocdevs03.example.com:3000","user-agent":"curl/7.61.1"},"httpVersion":"1.1","method":"HEAD","originalUrl":"/wetty","query":{},"url":"/wetty"},"res":{"statusCode":200},"responseTime":7},"timestamp":"2022-02-03T19:20:06.652Z"}
CLIENT showing SAMEORIGIN
[s0998fue@lxutlhpocdevs03 test]$ curl --head http://lxutlhpocdevs03.example.com:3000/wetty
HTTP/1.1 200 OK
Content-Security-Policy: default-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';font-src 'self' data:;connect-src 'self' ws://lxutlhpocdevs03.example.com:3000
X-DNS-Prefetch-Control: off
Expect-CT: max-age=0
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: no-referrer-when-downgrade
X-XSS-Protection: 0
Content-Type: text/html; charset=utf-8
Content-Length: 1138
ETag: W/"472-S2vHeHsLjCISBT3Di/V0rk/j5T8"
Vary: Accept-Encoding
Date: Thu, 03 Feb 2022 19:20:06 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Expected behavior
Is this the expected behavior? Is there anything wrong with the parameters that I passed?
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Smartphone (please complete the following information):
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: