netdata
[Bug]: Cannot sign-in if Netdata is running in an iframe
Bug description
I built a Home Assistant add-on for Netdata:
https://github.com/felipecrs/netdata-hass-addon
And it works well.
However, since Netdata v2 there's no longer an option to disable cloud functionality, meaning I'm always greeted by this sign-in screen.
The problem is that signing-in from an iframe doesn't work:
https://github.com/user-attachments/assets/4c79353e-36a9-421d-a2cd-bce5485c28eb
Expected behavior
If it at least worked, such thing wouldn't be so annoying.
Steps to reproduce
Install Home Assistant OS in a virtual machine and then install my add-on.
- https://www.home-assistant.io/installation/linux
- https://github.com/felipecrs/netdata-hass-addon
Then try to access Netdata from the side panel.
Installation method
docker
System info
Linux a0d7b954-ssh 6.6.73-haos
Netdata build info
time=2025-02-11T12:52:18.572-03:00 comm=netdata source=daemon level=notice errno="2, No such file or directory" tid=3967335 msg="CONFIG: cannot load user config '/etc/netdata/stream.conf'. Will try stock config."
time=2025-02-11T12:52:18.572-03:00 comm=netdata source=daemon level=error errno="22, Invalid argument" tid=3967335 msg="madvise(MADV_MERGEABLE) of size 16384, failed."
Packaging:
Netdata Version ____________________________________________ : v2.2.4
Installation Type __________________________________________ : oci
Package Architecture _______________________________________ : x86_64
Package Distro _____________________________________________ : unknown
Configure Options __________________________________________ : cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_STANDARD=11 -DCMAKE_CXX_STANDARD=14 -DBUILD_SHARED_LIBS= -DCMAKE_C_FLAGS='-ffunction-sections -fdata-sections -O2 -funroll-loops -pipe -fstack-protector-strong -D_FORTIFY_SOURCE=3 -fstack-clash-protection -fcf-protection=full -Wno-builtin-macro-redefined -fexceptions' -DCMAKE_CXX_FLAGS=' -ffunction-sections -fdata-sections -O2 -funroll-loops -pipe -fstack-protector-strong -D_FORTIFY_SOURCE=3 -fstack-clash-protection -fcf-protection=full -Wno-builtin-macro-redefined -fexceptions' -DCMAKE_COMPILE_DEFINITIONS='_GNU_SOURCE' -DCMAKE_EXE_LINKER_FLAGS='-Wl,--gc-sections -fstack-protector-strong -D_FORTIFY_SOURCE=3 -fstack-clash-protection -fcf-protection=full -Wno-builtin-macro-redefined -fexceptions' -DCMAKE_SHARED_LINKER_FLAGS='-Wl,--gc-sections'
Default Directories:
User Configurations ________________________________________ : /etc/netdata
Stock Configurations _______________________________________ : /usr/lib/netdata/conf.d
Ephemeral Databases (metrics data, metadata) _______________ : /var/cache/netdata
Permanent Databases ________________________________________ : /var/lib/netdata
Plugins ____________________________________________________ : /usr/libexec/netdata/plugins.d
Static Web Files ___________________________________________ : /usr/share/netdata/web
Log Files __________________________________________________ : /var/log/netdata
Lock Files _________________________________________________ : /var/lib/netdata/lock
Home _______________________________________________________ : /var/lib/netdata
Operating System:
Kernel _____________________________________________________ : Linux
Kernel Version _____________________________________________ : 6.6.73-haos
Operating System ___________________________________________ : Home Assistant OS
Operating System ID ________________________________________ : haos
Operating System ID Like ___________________________________ : unknown
Operating System Version ___________________________________ : 14.2 (Generic x86-64)
Operating System Version ID ________________________________ : 12
Detection __________________________________________________ : /host/etc/os-release
Hardware:
CPU Cores __________________________________________________ : 4
CPU Frequency ______________________________________________ : 800000000
RAM Bytes __________________________________________________ : 16543764480
Disk Capacity ______________________________________________ : 512110190592
CPU Architecture ___________________________________________ : x86_64
Virtualization Technology __________________________________ : none
Virtualization Detection ___________________________________ : none
Container:
Container __________________________________________________ : docker
Container Detection ________________________________________ : dockerenv
Container Orchestrator _____________________________________ : none
Container Operating System _________________________________ : Debian GNU/Linux
Container Operating System ID ______________________________ : debian
Container Operating System ID Like _________________________ : unknown
Container Operating System Version _________________________ : 12 (bookworm)
Container Operating System Version ID ______________________ : 12
Container Operating System Detection _______________________ : /etc/os-release
Features:
Built For __________________________________________________ : Linux
Netdata Cloud ______________________________________________ : YES
Health (trigger alerts and send notifications) _____________ : YES
Streaming (stream metrics to parent Netdata servers) _______ : YES
Back-filling (of higher database tiers) ____________________ : YES
Replication (fill the gaps of parent Netdata servers) ______ : YES
Streaming and Replication Compression ______________________ : YES (zstd lz4 gzip)
Contexts (index all active and archived metrics) ___________ : YES
Tiering (multiple dbs with different metrics resolution) ___ : YES (5)
Machine Learning ___________________________________________ : YES
Memory Allocator ___________________________________________ : system
Database Engines:
dbengine (compression) _____________________________________ : YES (zstd lz4)
alloc ______________________________________________________ : YES
ram ________________________________________________________ : YES
none _______________________________________________________ : YES
Connectivity Capabilities:
ACLK (Agent-Cloud Link: MQTT over WebSockets over TLS) _____ : YES
static (Netdata internal web server) _______________________ : YES
h2o (web server) ___________________________________________ : NO
WebRTC (experimental) ______________________________________ : NO
Native HTTPS (TLS Support) _________________________________ : YES
TLS Host Verification ______________________________________ : YES
Libraries:
LZ4 (extremely fast lossless compression algorithm) ________ : YES
ZSTD (fast, lossless compression algorithm) ________________ : YES
zlib (lossless data-compression library) ___________________ : YES
Brotli (generic-purpose lossless compression algorithm) ____ : NO
protobuf (platform-neutral data serialization protocol) ____ : YES (system)
OpenSSL (cryptography) _____________________________________ : YES
libdatachannel (stand-alone WebRTC data channels) __________ : NO
JSON-C (lightweight JSON manipulation) _____________________ : YES
libcap (Linux capabilities system operations) ______________ : NO
libcrypto (cryptographic functions) ________________________ : YES
libyaml (library for parsing and emitting YAML) ____________ : YES
libmnl (library for working with netfilter) ________________ : YES
Plugins:
apps (monitor processes) ___________________________________ : YES
cgroups (monitor containers and VMs) _______________________ : YES
cgroup-network (associate interfaces to CGROUPS) ___________ : YES
proc (monitor Linux systems) _______________________________ : YES
tc (monitor Linux network QoS) _____________________________ : YES
diskspace (monitor Linux mount points) _____________________ : YES
freebsd (monitor FreeBSD systems) __________________________ : NO
macos (monitor MacOS systems) ______________________________ : NO
statsd (collect custom application metrics) ________________ : YES
timex (check system clock synchronization) _________________ : YES
idlejitter (check system latency and jitter) _______________ : YES
bash (support shell data collection jobs - charts.d) _______ : YES
debugfs (kernel debugging metrics) _________________________ : YES
cups (monitor printers and print jobs) _____________________ : NO
ebpf (monitor system calls) ________________________________ : NO
freeipmi (monitor enterprise server H/W) ___________________ : YES
nfacct (gather netfilter accounting) _______________________ : NO
perf (collect kernel performance events) ___________________ : YES
slabinfo (monitor kernel object caching) ___________________ : YES
Xen ________________________________________________________ : NO
Xen VBD Error Tracking _____________________________________ : NO
Exporters:
AWS Kinesis ________________________________________________ : NO
GCP PubSub _________________________________________________ : NO
MongoDB ____________________________________________________ : YES
Prometheus (OpenMetrics) Exporter __________________________ : YES
Prometheus Remote Write ____________________________________ : YES
Graphite ___________________________________________________ : YES
Graphite HTTP / HTTPS ______________________________________ : YES
JSON _______________________________________________________ : YES
JSON HTTP / HTTPS __________________________________________ : YES
OpenTSDB ___________________________________________________ : YES
OpenTSDB HTTP / HTTPS ______________________________________ : YES
All Metrics API ____________________________________________ : YES
Shell (use metrics in shell scripts) _______________________ : YES
Debug/Developer Features:
Trace All Netdata Allocations (with charts) ________________ : NO
Developer Mode (more runtime checks, slower) _______________ : NO
Runtime Information:
Profile ____________________________________________________ : standalone
Stream Parent (accept data from Children) __________________ : NO
Stream Child (send data to a Parent) _______________________ : NO
Total System Memory ________________________________________ : 16543764480
Available System Memory ____________________________________ : 8380239872
Additional info
Maybe this can be solved by detecting this situation and open a second tab to login.
We cannot allow app.netdata.cloud to run in an iframe for security reasons.
Please use the v3 folder for your app. The same will happen though if you try to login in the v3. There are probably ways to bypass the login via cloud there, but I will need to think about it and discuss it with you to see if that's feasible. Let me know if v3 works as expected for you, first.
@novykh thanks for answering. But v3 doesn't work because of https://github.com/netdata/netdata-cloud/issues/1073.
Yep just saw the other issue. Let's close this and work on v3, since the main version will never work, like I wrote above.
@novykh I understand that you cannot allow app.netdata.cloud to run in an iframe, but have you considered some other login method that doesn't load app.netdata.cloud inside the iframe itself?
For example, opening a second tab to handle the login process when clicking the login button when inside of an iframe.
I understand where you're coming from, but exchanging a JWT in this situation is not something we can allow. Since the local agent (v3) is being loaded from a non-trusted origin and might not even use HTTPS, sending a JWT over postMessage or attempting to share it across origins would be a significant security risk. So, while it's technically possible to create some sort of exchange mechanism, it’s not something we can safely implement right now. I'll discuss with the rest of the team as a feature request to maybe implement a more secure token-based approach for the future.
As I said though, we won't implement something that like that since it's not secure, but on the other hand, you can easily do it yourself. I don't know how you created the assistant, but if you can set something to the localstorage inside the iframe, then issue a token from your cloud account, and set it as netdataJWT, I believe it can work, haven't tried it out, but could work.
Crazy stuff, but I get your point. It's unlikely I will implement something like that, by the way.
Please feel completely free to deprioritize or even close as won't fix. I don't care that much about this to push for a non-trivial change.