<application> does not work in iframe

[rmountjoy92]

You will notice that DashMachine's iframe option only works with certain apps. Here is the explanation: https://stackoverflow.com/questions/6663244/cant-show-some-websites-in-iframe-tag

If someone finds out a way around this, please let me know or submit a PR.

[rmountjoy92]

This really needs to be done using the reverse proxy or the application itself.

The X-Frame-Options header needs to exist, and set the value to something like, “ALLOW-FROM http://xxx.xx” in the HTTP response.

If you're using Traefik, you will add a traefik flag - I'm using docker compose, and I have something like this (the last label is important):

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.ouroboros.rule=Host(`ouroboros.example.com`,`ouroboros`)"
  - "traefik.http.middlewares.ouroboros.headers.customrequestheaders.customFrameOptionsValue=ALLOW"

In nginx, I think it's the site (or default) option

proxy_hide_header X-Frame-Options;
People should be aware that this configuration is less secure than the default configurations.

[mmarquezs]

Just so people are aware, the directive allow-from from the header X-Frame-Options is obsolete.
The new way is using the directive frame-ancestors in the header Content-Security-Policy.
Unless you need to support legacy browsers this is the new way that should be used to allow iframe loading in other domains.

[rmountjoy92]

@mmarquezs thanks for the info, is there anything I need do on DashMachine's side?

[mmarquezs]

No, as you said this is something that requires a change on the original application or that can be fixed on the reverse proxy, So unless you add you own reverse proxy to DashMachines there is nothing to do.

I just wanted to add the extra info just in case the other directive doesn't work for some browsers due to being obsolete.