3.0.0RC2 - Issue with x_frame_options

Post by **safihre** » September 8th, 2020, 4:02 pm

I had our internal webserver, cherrypy, nog configured correctly. So when we did a redirect to for example /login/, it would try to find the full hostname of the current setup and prepend it. It wouldn't know about the proxy, so setup the wrong redirect.

pinn · Post by **pinn** » June 3rd, 2021, 5:08 am

Hi, following on from this, I think a change in Chrome means I am no longer able to access Sab via organizr. I am on 3.3.0-develop [ec40cbc]
The error given is:

Code: Select all

Indicate whether a cookie is intended to be set in a cross-site context by specifying its SameSite attribute
Because a cookie’s SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which prevents the cookie from being set in a cross-site context. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.
Resolve this issue by updating the attributes of the cookie:
Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute.
Specify SameSite=Strict or SameSite=Lax if the cookie should not be set by cross-site requests.

Post by **safihre** » June 3rd, 2021, 8:49 am

Seems SAB would need to specify SameSite=None.
But those would require HTTPS to be used..
https://www.chromestatus.com/feature/5633521622188032

pinn · Post by **pinn** » June 9th, 2021, 1:22 am

safihre wrote: ↑June 3rd, 2021, 8:49 am Seems SAB would need to specify SameSite=None.
But those would require HTTPS to be used..
https://www.chromestatus.com/feature/5633521622188032

I tried with https and same issue. Any other ideas?

Post by **safihre** » June 9th, 2021, 2:50 am

It will only work if we add that flag, so just using HTTPS is not enough.
Plus it has to be actual-HTTPS, so not using self-signed certificates..

pinn · Post by **pinn** » June 9th, 2021, 3:15 am

safihre wrote: ↑June 9th, 2021, 2:50 am It will only work if we add that flag, so just using HTTPS is not enough.
Plus it has to be actual-HTTPS, so not using self-signed certificates..

So I'd need to purchase certs?

Post by **safihre** » June 9th, 2021, 3:23 am

Yes, and have a "real" domainname, can't get certs for things linke "localhost" or "mynas".

pinn · Post by **pinn** » June 9th, 2021, 3:48 am

safihre wrote: ↑June 9th, 2021, 3:23 am Yes, and have a "real" domainname, can't get certs for things linke "localhost" or "mynas".

Thanks but that's a real PITA. Any way around this other than using a browser that doesn't enforce this, or not using organizr?

Puzzled · Post by **Puzzled** » June 9th, 2021, 1:31 pm

pinn wrote: ↑June 9th, 2021, 3:15 am So I'd need to purchase certs?

You can get a free certificate from https://letsencrypt.org and a domain from https://www.duckdns.org/. There are various guides for setting them up together so that the certificate is updated automatically.

pinn · Post by **pinn** » June 9th, 2021, 3:45 pm

Good to know that. Thanks.
Are you looking to add that flag to Sab then?

Support Forum

3.0.0RC2 - Issue with x_frame_options

Re: 3.0.0RC2 - Issue with x_frame_options

Re: 3.0.0RC2 - Issue with x_frame_options

Re: 3.0.0RC2 - Issue with x_frame_options

Re: 3.0.0RC2 - Issue with x_frame_options

Re: 3.0.0RC2 - Issue with x_frame_options

Re: 3.0.0RC2 - Issue with x_frame_options

Re: 3.0.0RC2 - Issue with x_frame_options

Re: 3.0.0RC2 - Issue with x_frame_options

Re: 3.0.0RC2 - Issue with x_frame_options

Re: 3.0.0RC2 - Issue with x_frame_options