3.0.0RC2 - Issue with x_frame_options

Questions and bug reports for Beta releases should be posted here.
Forum rules
Help us help you:
  • Tell us what system you run SABnzbd on.
  • Adhere to the forum rules.
  • Do you experience problems during downloading?
    Check your connection in Status and Interface settings window.
    Use Test Server in Config > Servers.
    We will probably ask you to do a test using only basic settings.
  • Do you experience problems during repair or unpacking?
    Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
User avatar
safihre
Administrator
Administrator
Posts: 5338
Joined: April 30th, 2015, 7:35 am
Contact:

Re: 3.0.0RC2 - Issue with x_frame_options

Post by safihre »

I had our internal webserver, cherrypy, nog configured correctly. So when we did a redirect to for example /login/, it would try to find the full hostname of the current setup and prepend it. It wouldn't know about the proxy, so setup the wrong redirect.
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
pinn
Jr. Member
Jr. Member
Posts: 85
Joined: September 18th, 2011, 4:08 am

Re: 3.0.0RC2 - Issue with x_frame_options

Post by pinn »

Hi, following on from this, I think a change in Chrome means I am no longer able to access Sab via organizr. I am on 3.3.0-develop [ec40cbc]
The error given is:

Code: Select all

Indicate whether a cookie is intended to be set in a cross-site context by specifying its SameSite attribute
Because a cookie’s SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being set in a cross-site context. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.
Resolve this issue by updating the attributes of the cookie:
Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute.
Specify SameSite=Strict or SameSite=Lax if the cookie should not be set by cross-site requests.
User avatar
safihre
Administrator
Administrator
Posts: 5338
Joined: April 30th, 2015, 7:35 am
Contact:

Re: 3.0.0RC2 - Issue with x_frame_options

Post by safihre »

Seems SAB would need to specify SameSite=None.
But those would require HTTPS to be used..
https://www.chromestatus.com/feature/5633521622188032
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
pinn
Jr. Member
Jr. Member
Posts: 85
Joined: September 18th, 2011, 4:08 am

Re: 3.0.0RC2 - Issue with x_frame_options

Post by pinn »

safihre wrote: June 3rd, 2021, 8:49 am Seems SAB would need to specify SameSite=None.
But those would require HTTPS to be used..
https://www.chromestatus.com/feature/5633521622188032
I tried with https and same issue. Any other ideas?
User avatar
safihre
Administrator
Administrator
Posts: 5338
Joined: April 30th, 2015, 7:35 am
Contact:

Re: 3.0.0RC2 - Issue with x_frame_options

Post by safihre »

It will only work if we add that flag, so just using HTTPS is not enough.
Plus it has to be actual-HTTPS, so not using self-signed certificates..
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
pinn
Jr. Member
Jr. Member
Posts: 85
Joined: September 18th, 2011, 4:08 am

Re: 3.0.0RC2 - Issue with x_frame_options

Post by pinn »

safihre wrote: June 9th, 2021, 2:50 am It will only work if we add that flag, so just using HTTPS is not enough.
Plus it has to be actual-HTTPS, so not using self-signed certificates..
So I'd need to purchase certs?
User avatar
safihre
Administrator
Administrator
Posts: 5338
Joined: April 30th, 2015, 7:35 am
Contact:

Re: 3.0.0RC2 - Issue with x_frame_options

Post by safihre »

Yes, and have a "real" domainname, can't get certs for things linke "localhost" or "mynas".
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
pinn
Jr. Member
Jr. Member
Posts: 85
Joined: September 18th, 2011, 4:08 am

Re: 3.0.0RC2 - Issue with x_frame_options

Post by pinn »

safihre wrote: June 9th, 2021, 3:23 am Yes, and have a "real" domainname, can't get certs for things linke "localhost" or "mynas".
Thanks but that's a real PITA. Any way around this other than using a browser that doesn't enforce this, or not using organizr?
Puzzled
Full Member
Full Member
Posts: 160
Joined: September 2nd, 2017, 3:02 am

Re: 3.0.0RC2 - Issue with x_frame_options

Post by Puzzled »

pinn wrote: June 9th, 2021, 3:15 am So I'd need to purchase certs?
You can get a free certificate from https://letsencrypt.org and a domain from https://www.duckdns.org/. There are various guides for setting them up together so that the certificate is updated automatically.
pinn
Jr. Member
Jr. Member
Posts: 85
Joined: September 18th, 2011, 4:08 am

Re: 3.0.0RC2 - Issue with x_frame_options

Post by pinn »

Good to know that. Thanks.
Are you looking to add that flag to Sab then?
Post Reply