Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to disable or bypass X-Frame-Options in header with iframe include of minio #3447

Open
filoucrackeur opened this issue Apr 19, 2023 · 8 comments
Open

How to disable or bypass X-Frame-Options in header with iframe include of minio #3447

filoucrackeur opened this issue Apr 19, 2023 · 8 comments
Assignees
@dvaldivia @bexsoft
Labels
community triage

Comments

@filoucrackeur
Copy link

NOTE

i have seen minio/minio#15548 but it don't respond to my case

Expected Behavior

i want to call https://localhost:9001/ in my iframe https://sandbox.local/

Current Behavior

Load of « https://localhost:9001/ » in frame is refused by « X-Frame-Options » defined with « DENY ».

Possible Solution

remove from header X-Frame-Options
or add field settings in admin UI
@harshavardhana
Copy link
Member

@dvaldivia how did you do this for Operator UI?

@klauspost
Copy link
Contributor

Ping @dvaldivia

@tounaf
Copy link

tounaf commented May 16, 2023

@filoucrackeur , you can use nginx as proxy for minio . Try to see this docs setup-nginx-proxy-minio

@dvaldivia
Copy link
Collaborator

hi @filoucrackeur we only support embedding the Object Browser at the moment via iFrame, is that what you are trying to achieve?

@filoucrackeur
Copy link
Author

yes indeed

@baifachuan
Copy link

Execuse me, How can I embedding the Object Browser in my web page with Iframe?

I meet the same problem:

Load of « https://localhost:9001/ » in frame is refused by « X-Frame-Options » defined with « DENY ».

@harshavardhana harshavardhana transferred this issue from minio/minio Sep 30, 2024
@allanrogerr
Copy link
Contributor

We are discussing this internally.

@SergioKingOne
Copy link

I'm encountering issues with MinIO console iframe embedding too. Adding context to help debug:

Config:

minio:
  image: quay.io/minio/minio
  ports:
    - 9000:9000 # API
    - 9001:9001 # Console
  environment:
    MINIO_ROOT_USER: minioadmin
    MINIO_ROOT_PASSWORD: minioadmin
    MINIO_REGION_NAME: us-east-1
    MINIO_CORS_ALLOW_ORIGIN: "*"
    MINIO_BROWSER_REFERRER_POLICY: "no-referrer-when-downgrade"
    MINIO_BROWSER_CONTENT_SECURITY_POLICY: "default-src * 'unsafe-inline' 'unsafe-eval'; frame-ancestors * 'self' file://* http://localhost:* http://127.0.0.1:* http://0.0.0.0:*"
  volumes:
    - bioma-minio-data:/data
  command: server /data --console-address ':9001'

Current Behavior:

Login page loads fine in iframe
On login attempt: 403 Forbidden on /api/v1/session
UI becomes blank after failed login

Response Headers:

access-control-allow-origin: _
content-security-policy: default-src _ 'unsafe-inline' 'unsafe-eval'; frame-ancestors _ 'self' file://_ http://localhost:_ http://127.0.0.1:_ http://0.0.0.0:\*
referrer-policy: strict-origin-when-cross-origin
x-frame-options: ALLOWALL

I've configured NGINX but getting same behavior. Any ideas what else might be needed for session authentication to work in iframe mode? @dvaldivia you mentioned Object Browser is supported - any specific config needed for that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dvaldivia dvaldivia

@bexsoft bexsoft

Labels
community triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@harshavardhana @filoucrackeur @klauspost @baifachuan @allanrogerr @dvaldivia @bexsoft @tounaf @SergioKingOne