Page 1 of 2

3.0.0RC2 - Issue with x_frame_options

Posted: July 16th, 2020, 9:39 am
by xerais
So I recently upgraded to 3.0.0RC2 and have been having issues with using Organizr and displaying SABNzbd in an iframe. It was working fine before with the standard release version. I am able to load the login site through an iframe but entering my username/password on the sabnzbd interface and pressing login does nothing.

I checked the special config and it shows x_frame_options ( on ) with an asterisk next to it. This is with the box unchecked. I'm not sure what else might have changed as everything was working fine before upgrading to the RC.

I have tried clicking it on and restarting the server, then clicking it off and restarting the server, but either way it continues to say on regardless of being checked or not checked.

Any suggestions/advice would be most welcome.

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: July 16th, 2020, 10:56 am
by xerais
Well I just reinstalled the standard release and am noting the xframe stuff looks the same (unchecked but says on with an asterick).
However, everything is working correctly now in iframe.
I also noticed that the reverse proxy wasn't working correctly on 3.0.0RC2, it was redirecting to the local lan IP in http.

Installing the standard release fixed all the issues.

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: July 16th, 2020, 12:34 pm
by safihre
We'll need your help to fix this, so you'll need to reinstall RC2 :)
For the login problem: can you check the browser console (right click anywhere on the page and select Inspect Element, then select Console). What does it show after you try to login?

With the reverse proxy, what URL are you on? What URL should it redirect to? And which URL is it wrongly directing you?

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: July 16th, 2020, 1:34 pm
by safihre
I just tested and the behavior of x_frame_options didn't change. If it's disabled, no "X-Frame-Options: SameOrigin" is send anymore.

So it seems we have to investigate a bit more what is going wrong.

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: August 2nd, 2020, 11:01 pm
by Star11
I just moved over to Sab 3.0RC2 from another app and ran into the same/similar issue in Organizr. I setup Organizr with "/name-of-app" in the tab url section of the settings. This normally works with all my apps no matter if i access it on the local domain or over my FQDN. Now with SAB this will not work over my FQDN, i get a mixed content error:

Mixed Content: The page at 'https://mydomain/#sabnzbd' was loaded over HTTPS, but requested an insecure frame 'http://mydomain/sabnzbd/'. This request has been blocked; the content must be served over HTTPS.

For some reason it defaults back to http when being setup in Organizr using "/sabnzbd" . If you specifically set Organizr's tab url to "https://mydomain/sabnzbd/" it will load properly.

Not sure if this is the same issue as the original poster but is what i am encountering.

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: August 3rd, 2020, 12:23 am
by safihre
So the redirect to HTTP happens after you try to login in SABnzbd?
What do you have set in the SABnzbd settings? HTTPS enabled?

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: August 3rd, 2020, 1:01 am
by Star11
The redirect happens when you click on the Sab menu in Organizr, so for me the login page never loads because of the mixed content error.

If you hardcode the https url into Organizr's tab settings and click the Sab menu the login page will load and allow you to login with everything working properly.

Edit:

Checking "x_frame_options ( on )" on or off doesn't seem change the behavior in any perceivable way. Also I leave the https option disabled since my reverse proxy server should be handling that part of it.

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: August 4th, 2020, 2:25 am
by safihre
Hmmm, not sure how to test this. I don't have a setup like this at home. Its strange because I specifically removed any http(S) things when doing redirects.

Could you inspect if this is happening in the browser network-tab? When you click SABnzbn in Organizer, is SAB redirecting you from httpS to http?

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: August 4th, 2020, 2:57 pm
by Star11
General
Request URL: https://mydomain /sabnzbd
Referrer Policy: strict-origin-when-cross-origin

Response Headers
Request URL: https://mydomain /sabnzbd
Referrer Policy: strict-origin-when-cross-origin
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
cf-cache-status: DYNAMIC
cf-ray:
cf-request-id:
content-type: text/html;charset=utf-8
date: Tue, 04 Aug 2020 19:42:53 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare "
location: http://mydomain /sabnzbd/
server: cloudflare
status: 301
strict-transport-security: max-age=31536000;
vary: Accept-Encoding
x-content-type-options: nosniff
x-xss-protection: 1; mode=block

Request Headers
:authority: mydomain
:method: GET
:path: /sabnzbd
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __cfduid=
dnt: 1
referer: https://mydomain /dash/
sec-fetch-dest: iframe
sec-fetch-mode: navigate
sec-fetch-site: same-origin
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.48 Safari/537.36

Not sure if this helps but seems like Sab's location is thought to be http in the response header and that's where the issue is arising. Board wouldn't allow me to post links so had to monkey with the uri's.

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: September 8th, 2020, 7:32 am
by IIIdefconIII
Star11 wrote: August 3rd, 2020, 1:01 am The redirect happens when you click on the Sab menu in Organizr, so for me the login page never loads because of the mixed content error.

If you hardcode the https url into Organizr's tab settings and click the Sab menu the login page will load and allow you to login with everything working properly.

Edit:

Checking "x_frame_options ( on )" on or off doesn't seem change the behavior in any perceivable way. Also I leave the https option disabled since my reverse proxy server should be handling that part of it.
Hi, did you found a fix for this i have the same problems.
Behavior: <DOMAIN>sabnzdb. works with logging forms

Organizr, no page loading with xframe option disabled.
When i then logging to sabnzdb from a normale browser tab, and after authenticating i can refresh organizr and im logged in and it works.

Are more people experience this?

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: September 8th, 2020, 9:25 am
by safihre
Can you try 3.1.0Beta1? I made another changed that could help here.

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: September 8th, 2020, 9:57 am
by IIIdefconIII
I would but im using docker compose whih isnt gving me an update at the moment. Which source should i use?

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: September 8th, 2020, 10:08 am
by sander
IIIdefconIII wrote: September 8th, 2020, 9:57 am I would but im using docker compose whih isnt gving me an update at the moment. Which source should i use?
linuxserver sabnzbd unstable, as: "Pre-releases from their GitHub"

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: September 8th, 2020, 1:11 pm
by IIIdefconIII
sander wrote: September 8th, 2020, 10:08 am
IIIdefconIII wrote: September 8th, 2020, 9:57 am I would but im using docker compose whih isnt gving me an update at the moment. Which source should i use?
linuxserver sabnzbd unstable, as: "Pre-releases from their GitHub"
yeah that did the trick, thanks

Image

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: September 8th, 2020, 1:12 pm
by IIIdefconIII
What exactly did you changed if I may ask? Prometheus has the same issue. I can report the fix then to them :)