Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hosting environments which set "X-Frame-Options: SAMEORIGIN" will break CryptPad in such a way that user has no idea WTF is going on #1732

Closed
ForestJohnson opened this issue Dec 11, 2024 · 3 comments
Closed

Hosting environments which set "X-Frame-Options: SAMEORIGIN" will break CryptPad in such a way that user has no idea WTF is going on #1732

ForestJohnson opened this issue Dec 11, 2024 · 3 comments
Labels
Invalid We can't do anything about it in its current state

Comments

@ForestJohnson
Copy link

ForestJohnson commented Dec 11, 2024
edited
Loading

Description

https://sunbeam.city/@notplants/113625841650195515

User was trying to run CryptPad on a server which was based on YunoHost. YunoHost sets X-Frame-Options: SAMEORIGIN across the board.

This causes CryptPad to fail and display a network error in the web browser. It fails so hard it can't even display an error message:

image

Steps to reproduce

Host behind an HTTP reverse proxy which sets the X-Frame-Options: SAMEORIGIN response header.

Relevant logs

See screenshots

Expected behavior

As an iframe user, Cryptpad should check to make sure that the X-Frame-Options is not set or is set correctly, and warn the user if it is not.

This JavaScript should do it. You just need to pass the sandbox origin to the JS somehow so it can run on page load before the iframe attempts to load:

(() => {
    const sandboxOrigin = 'https://sandbox-crypt.commoninternet.net'
    fetch(window.location.origin).then(response => {
        const header = response.headers.get('x-frame-options');
        if(header && (!header.includes('ALLOW-FROM') || !header.includes(sandboxOrigin))) {
            alert(
              "Your HTTP server is messing up the X-Frame-Options header, which breaks CryptPad's OnlyOffice"+
              " sandbox and thus breaks the app. "+
              "Please configure your server to leave the existing X-Frame-Options header in peace"
            )
        }
    })
})()

image

Which operating system are you using?

Linux/BSD/UNIX

What browsers are you seeing the problem on?

Mozilla Firefox

Extensions

N/A (CryptPad version 5.3.0)

Version

Other
@ForestJohnson
Copy link
Author

ForestJohnson commented Dec 11, 2024
edited
Loading

Yes it kinda makes sense to blame this on YunoHost, so why not open an issue: YunoHost/issues#2498

However its worth noting that you can easily fix this in CryptPad via that JS I posted. (or something similar).

YunoHost is almost certainly not the only one doing this, so I think it make sense to display an error message in the event that the application cannot load.

@ForestJohnson ForestJohnson changed the title Hosting environments which set "X-Frame-Options: SAMEORIGIN" will break CryptPad Hosting environments which set "X-Frame-Options: SAMEORIGIN" will break CryptPad in such a way that user has no idea WTF is going on Dec 11, 2024
@mathilde-cryptpad
Copy link
Contributor

Upstream issue that will be handled by YunoHost. Our security headers are here for a reason.

@mathilde-cryptpad mathilde-cryptpad closed this as not planned Won't fix, can't repro, duplicate, stale Dec 11, 2024
@mathilde-cryptpad mathilde-cryptpad added the Invalid We can't do anything about it in its current state label Dec 11, 2024
@ForestJohnson
Copy link
Author

Disappointing but not surprising. I do believe in the future there will be another generation of free software that treats admins as users, and invests in usability. Until then I guess I'll stick with google drive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Invalid We can't do anything about it in its current state
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ForestJohnson @mathilde-cryptpad