tubesync
tubesync copied to clipboard
meeb
Allow display within iframes
I use Organizr to manage my self-hosted services, which requires services to be embeddable as iframes for them to work as tabs. Would you please consider removing this line or making it configurable to allow us to use TubeSync within an iframe on a different origin?
https://github.com/meeb/tubesync/blob/d0d4cbeace56f6c92dbed1b711bb9e300e0a7ffc/config/root/etc/nginx/nginx.conf#L33
X-Frame-Options is probably a good idea to have set by default for a web interface with no default security at the moment. Using ALLOW-FROM as a directive isn't supported any more, so the two options are DENY or SAMEORIGIN. I'll put making this configurable in the container as a wishlist item, the configuration would be SAMEORIGIN or just no header at all. There is no dynamic configuration in the bundled nginx proxy itself at the moment so this will need to be added first (dynamic configs from env vars etc.).
I was able to get this working with Tubesync, Organizr, and Traefik 2, all using docker. I used Traefik middlewares to inject the needed header:
- "traefik.http.middlewares.tubesyncsts.headers.contentSecurityPolicy=frame-ancestors my_domain.tld"
I then add that middleware to my router by using the following label:
- "traefik.http.routers.tubesync.middlewares=tubesync-auth, tubesyncsts"
If anyone has any questions let me know. I can also post the rest of my docker compose file, but nothing else is really relevant to getting it working in an iframe.
@joe-eklund , I really appreciate if you can post the docker compose file. I would like to have tubesync behind Traefik . I not a really expert in Traefik . thanks
