OMV actively prevents the embedding of the UI in an iframe.
How to run omv in iframe with organizr
-
- OMV 5.x
- Random9
-
-
OMV actively prevents the embedding of the UI in an iframe.
yes, and the commands shared earlier in this apparently disable this ??
-
With the latest versions in OMV5 and OMV6 you should use the following commands:
Code# omv-env set OMV_NGINX_SITE_WEBGUI_SECURITY_XFRAMEOPTIONS_ENABLE no # omv-salt stage run prepare # omv-salt deploy run nginx
I don't know if it is necessary to disable OMV_NGINX_SITE_WEBGUI_SECURITY_CSP_ENABLE, you need to check that yourself.
Please check the documentation for more information.
-
thanks. but it gives me the same outcome. in that it loads the login screen but just loops back to the login screen when submitting credentials.
-
thanks. but it gives me the same outcome. in that it loads the login screen but just loops back to the login screen when submitting credentials.
Please check the syslog for errors. You may run journalctl -f during signing in to the UI.
-
Please check the syslog for errors. You may run journalctl -f during signing in to the UI.
nothing much of interest there really
CodeMar 08 14:39:43 gibserver openmediavault-webgui[15296]: Authorized login from ::ffff:192.168.0.166 [username=admin, user-agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36] Mar 08 14:39:43 gibserver postfix/postdrop[15306]: warning: unable to look up public/pickup: No such file or directory Mar 08 14:39:50 gibserver openmediavault-webgui[15296]: Authorized login from ::ffff:192.168.0.166 [username=admin, user-agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36]
-
nothing much of interest there really
CodeMar 08 14:39:43 gibserver openmediavault-webgui[15296]: Authorized login from ::ffff:192.168.0.166 [username=admin, user-agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36] Mar 08 14:39:43 gibserver postfix/postdrop[15306]: warning: unable to look up public/pickup: No such file or directory Mar 08 14:39:50 gibserver openmediavault-webgui[15296]: Authorized login from ::ffff:192.168.0.166 [username=admin, user-agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36]
Nothing that helps to identify the cause.
-
I was able to reproduce it. The problem is that the PHP session cookie is also protected against CSRF. The session cookie is not submitted in the iframe, thus all API requests will denied because the session is invalid. The UI will immediately logout in this case.
-
Thanks Votdev,
so what does that mean in the grand scheme of things? is that a dead end and nothing can be done to get around this?
-
From a security point of view: No, there is no workaround.
If you really need that feature, please feel free to contribute a patch that allows users to configure that PHP setting via an environment variable in OMV. Please understand that i will not invest any time here because i do not need that feature (incl. the security problems). -
ok thanks. I'll give up the idea of doing it then as I don't know enough about php/dev to even attempt what you suggested.
Jetzt mitmachen!
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!