Page 2 of 2

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: September 8th, 2020, 4:02 pm
by safihre
I had our internal webserver, cherrypy, nog configured correctly. So when we did a redirect to for example /login/, it would try to find the full hostname of the current setup and prepend it. It wouldn't know about the proxy, so setup the wrong redirect.

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: June 3rd, 2021, 5:08 am
by pinn
Hi, following on from this, I think a change in Chrome means I am no longer able to access Sab via organizr. I am on 3.3.0-develop [ec40cbc]
The error given is:

Code: Select all

Indicate whether a cookie is intended to be set in a cross-site context by specifying its SameSite attribute
Because a cookie’s SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being set in a cross-site context. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.
Resolve this issue by updating the attributes of the cookie:
Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute.
Specify SameSite=Strict or SameSite=Lax if the cookie should not be set by cross-site requests.

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: June 3rd, 2021, 8:49 am
by safihre
Seems SAB would need to specify SameSite=None.
But those would require HTTPS to be used..
https://www.chromestatus.com/feature/5633521622188032

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: June 9th, 2021, 1:22 am
by pinn
safihre wrote:
June 3rd, 2021, 8:49 am
Seems SAB would need to specify SameSite=None.
But those would require HTTPS to be used..
https://www.chromestatus.com/feature/5633521622188032
I tried with https and same issue. Any other ideas?

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: June 9th, 2021, 2:50 am
by safihre
It will only work if we add that flag, so just using HTTPS is not enough.
Plus it has to be actual-HTTPS, so not using self-signed certificates..

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: June 9th, 2021, 3:15 am
by pinn
safihre wrote:
June 9th, 2021, 2:50 am
It will only work if we add that flag, so just using HTTPS is not enough.
Plus it has to be actual-HTTPS, so not using self-signed certificates..
So I'd need to purchase certs?

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: June 9th, 2021, 3:23 am
by safihre
Yes, and have a "real" domainname, can't get certs for things linke "localhost" or "mynas".

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: June 9th, 2021, 3:48 am
by pinn
safihre wrote:
June 9th, 2021, 3:23 am
Yes, and have a "real" domainname, can't get certs for things linke "localhost" or "mynas".
Thanks but that's a real PITA. Any way around this other than using a browser that doesn't enforce this, or not using organizr?

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: June 9th, 2021, 1:31 pm
by Puzzled
pinn wrote:
June 9th, 2021, 3:15 am
So I'd need to purchase certs?
You can get a free certificate from https://letsencrypt.org and a domain from https://www.duckdns.org/. There are various guides for setting them up together so that the certificate is updated automatically.

Re: 3.0.0RC2 - Issue with x_frame_options

Posted: June 9th, 2021, 3:45 pm
by pinn
Good to know that. Thanks.
Are you looking to add that flag to Sab then?