cockpit icon indicating copy to clipboard operation
cockpit copied to clipboard

Published 20 hours ago verified publisher icon cockpit-project

cockpit.conf origins not allowing iframe embed

Open red4dj opened this issue 1 year ago • 1 comments

Explain what happens

Hi, I have cockpit set up in an iframe on my server dashboard but cross-origin is getting in the way.

https://mysite.com has an iframe pointing to https://192.168.0.2:9090

Updated my cockpit.conf to the following:

[WebService]
Origins = https://mysite.com

I get a blocked connection and a server error if I attempt to open it directly (as is somewhat expected).

So, I updated my cockpit.conf to this:

[WebService]
Origins = https://192.168.0.2:9090 https://mysite.com

From what I understand, this should work, but I still get a blocked connection.

The cross-origin policy when I login directly (https://192.168.0.2:9090) is:

default-src 'self'; connect-src wss://192.168.0.2:9090 'self'; form-action 'self'; base-uri 'self'; object-src 'none'; font-src 'self' data:; img-src 'self' data:; block-all-mixed-content

The cross-origin policy given when loaded in the iframe (via https://mysite.com) is:

connect-src 'self' https://192.168.0.2:9090 wss://192.168.0.2:9090; form-action 'self' https://192.168.0.2:9090; base-uri 'self' https://192.168.0.2:9090; object-src 'none'; font-src 'self' https://192.168.0.2:9090 data:; img-src 'self' https://192.168.0.2:9090 data:; block-all-mixed-content; default-src 'self' https://192.168.0.2:9090 'unsafe-inline'

I know the cockpit.conf is loading properly because the other settings in there (LoginTitle, LoginTo, etc.) work properly.

Thanks!

Version of Cockpit

308-1~bpo12+1

Where is the problem in Cockpit?

Networking

Server operating system

Debian

Server operating system version

6.1.69

What browsers are you using?

Chrome

System log

Jan 10 20:29:02 terastation-1 cockpit-tls[3715]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
Jan 10 20:29:09 terastation-1 sudo[4598]: pam_unix(sudo:session): session closed for user root
Jan 10 20:29:10 terastation-1 sudo[4703]:   ****** : TTY=pts/0 ; PWD=/home/****** ; USER=root ; COMMAND=/usr/bin/journalctl --since -1m
Jan 10 20:29:10 terastation-1 sudo[4703]: pam_unix(sudo:session): session opened for user root(uid=0) by ******(uid=1000)

red4dj avatar Jan 11 '24 01:01 red4dj

I have the same problem. No matter what the 'Origins =' value in cockpit.conf is set to, appears to apply X-Frame-Options = sameorigin. Can anyone confirm this is actually a bug or did the handler change in someway?

steeldomejeff avatar Feb 08 '24 14:02 steeldomejeff