New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sandstorm in Docker inside a iframe? #3068

Open
xet7 opened this Issue May 10, 2018 · 2 comments

Comments

Projects
None yet
2 participants
@xet7
Contributor

xet7 commented May 10, 2018

Hi,
when running Sandstorm in Docker, can all of Sandstorm webbrowser content be inside a iframe?
So that there is no content-policy etc browser restrictions? Or would that require some environment variable changes before starting Sandstorm in Docker?

I'm thinking, that if new https://friendup.cloud auth was added (to the existing list of passwordless/LDAP/Google etc), then Sandstorm would be able to run inside iframe in Friend web/desktop/mobile apps in iframe.

@kentonv

This comment has been minimized.

Member

kentonv commented May 13, 2018

Sandstorm intentionally disallows running in an iframe for security reasons -- it would allow clickjacking attacks (where a malicious site renders Sandstorm inside an invisible iframe and tricks you into clicking on it).

Maybe some authentication scheme could be devised to permit Friend, though.

@xet7

This comment has been minimized.

Contributor

xet7 commented May 13, 2018

Yes.

For just Wekan, there is separate friend branch in Wekan repo and docker image, without content-policy, and Wekan password auth will be changed to Friend auth.

Similarly for Sandstorm, there exists passwordless login, Google Auth, GitHub, LDAP and SAML. Friend auth would be added, and Sandstorm used in Docker container, without content-policy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment