3.0.0RC2 - Issue with x_frame_options

Questions and bug reports for Beta releases should be posted here.
Forum rules
Help us help you:
  • Tell us what system you run SABnzbd on.
  • Adhere to the forum rules.
  • Do you experience problems during downloading?
    Check your connection in Status and Interface settings window.
    Use Test Server in Config > Servers.
    We will probably ask you to do a test using only basic settings.
  • Do you experience problems during repair or unpacking?
    Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
xerais
Newbie
Newbie
Posts: 2
Joined: January 4th, 2012, 10:14 pm

3.0.0RC2 - Issue with x_frame_options

Post by xerais »

So I recently upgraded to 3.0.0RC2 and have been having issues with using Organizr and displaying SABNzbd in an iframe. It was working fine before with the standard release version. I am able to load the login site through an iframe but entering my username/password on the sabnzbd interface and pressing login does nothing.

I checked the special config and it shows x_frame_options ( on ) with an asterisk next to it. This is with the box unchecked. I'm not sure what else might have changed as everything was working fine before upgrading to the RC.

I have tried clicking it on and restarting the server, then clicking it off and restarting the server, but either way it continues to say on regardless of being checked or not checked.

Any suggestions/advice would be most welcome.
xerais
Newbie
Newbie
Posts: 2
Joined: January 4th, 2012, 10:14 pm

Re: 3.0.0RC2 - Issue with x_frame_options

Post by xerais »

Well I just reinstalled the standard release and am noting the xframe stuff looks the same (unchecked but says on with an asterick).
However, everything is working correctly now in iframe.
I also noticed that the reverse proxy wasn't working correctly on 3.0.0RC2, it was redirecting to the local lan IP in http.

Installing the standard release fixed all the issues.
User avatar
safihre
Administrator
Administrator
Posts: 5523
Joined: April 30th, 2015, 7:35 am
Contact:

Re: 3.0.0RC2 - Issue with x_frame_options

Post by safihre »

We'll need your help to fix this, so you'll need to reinstall RC2 :)
For the login problem: can you check the browser console (right click anywhere on the page and select Inspect Element, then select Console). What does it show after you try to login?

With the reverse proxy, what URL are you on? What URL should it redirect to? And which URL is it wrongly directing you?
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
User avatar
safihre
Administrator
Administrator
Posts: 5523
Joined: April 30th, 2015, 7:35 am
Contact:

Re: 3.0.0RC2 - Issue with x_frame_options

Post by safihre »

I just tested and the behavior of x_frame_options didn't change. If it's disabled, no "X-Frame-Options: SameOrigin" is send anymore.

So it seems we have to investigate a bit more what is going wrong.
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
Star11
Newbie
Newbie
Posts: 4
Joined: August 2nd, 2020, 10:42 pm

Re: 3.0.0RC2 - Issue with x_frame_options

Post by Star11 »

I just moved over to Sab 3.0RC2 from another app and ran into the same/similar issue in Organizr. I setup Organizr with "/name-of-app" in the tab url section of the settings. This normally works with all my apps no matter if i access it on the local domain or over my FQDN. Now with SAB this will not work over my FQDN, i get a mixed content error:

Mixed Content: The page at 'https://mydomain/#sabnzbd' was loaded over HTTPS, but requested an insecure frame 'http://mydomain/sabnzbd/'. This request has been blocked; the content must be served over HTTPS.

For some reason it defaults back to http when being setup in Organizr using "/sabnzbd" . If you specifically set Organizr's tab url to "https://mydomain/sabnzbd/" it will load properly.

Not sure if this is the same issue as the original poster but is what i am encountering.
User avatar
safihre
Administrator
Administrator
Posts: 5523
Joined: April 30th, 2015, 7:35 am
Contact:

Re: 3.0.0RC2 - Issue with x_frame_options

Post by safihre »

So the redirect to HTTP happens after you try to login in SABnzbd?
What do you have set in the SABnzbd settings? HTTPS enabled?
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
Star11
Newbie
Newbie
Posts: 4
Joined: August 2nd, 2020, 10:42 pm

Re: 3.0.0RC2 - Issue with x_frame_options

Post by Star11 »

The redirect happens when you click on the Sab menu in Organizr, so for me the login page never loads because of the mixed content error.

If you hardcode the https url into Organizr's tab settings and click the Sab menu the login page will load and allow you to login with everything working properly.

Edit:

Checking "x_frame_options ( on )" on or off doesn't seem change the behavior in any perceivable way. Also I leave the https option disabled since my reverse proxy server should be handling that part of it.
User avatar
safihre
Administrator
Administrator
Posts: 5523
Joined: April 30th, 2015, 7:35 am
Contact:

Re: 3.0.0RC2 - Issue with x_frame_options

Post by safihre »

Hmmm, not sure how to test this. I don't have a setup like this at home. Its strange because I specifically removed any http(S) things when doing redirects.

Could you inspect if this is happening in the browser network-tab? When you click SABnzbn in Organizer, is SAB redirecting you from httpS to http?
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
Star11
Newbie
Newbie
Posts: 4
Joined: August 2nd, 2020, 10:42 pm

Re: 3.0.0RC2 - Issue with x_frame_options

Post by Star11 »

General
Request URL: https://mydomain /sabnzbd
Referrer Policy: strict-origin-when-cross-origin

Response Headers
Request URL: https://mydomain /sabnzbd
Referrer Policy: strict-origin-when-cross-origin
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
cf-cache-status: DYNAMIC
cf-ray:
cf-request-id:
content-type: text/html;charset=utf-8
date: Tue, 04 Aug 2020 19:42:53 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare "
location: http://mydomain /sabnzbd/
server: cloudflare
status: 301
strict-transport-security: max-age=31536000;
vary: Accept-Encoding
x-content-type-options: nosniff
x-xss-protection: 1; mode=block

Request Headers
:authority: mydomain
:method: GET
:path: /sabnzbd
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __cfduid=
dnt: 1
referer: https://mydomain /dash/
sec-fetch-dest: iframe
sec-fetch-mode: navigate
sec-fetch-site: same-origin
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.48 Safari/537.36

Not sure if this helps but seems like Sab's location is thought to be http in the response header and that's where the issue is arising. Board wouldn't allow me to post links so had to monkey with the uri's.
IIIdefconIII
Newbie
Newbie
Posts: 4
Joined: September 8th, 2020, 7:27 am

Re: 3.0.0RC2 - Issue with x_frame_options

Post by IIIdefconIII »

Star11 wrote: August 3rd, 2020, 1:01 am The redirect happens when you click on the Sab menu in Organizr, so for me the login page never loads because of the mixed content error.

If you hardcode the https url into Organizr's tab settings and click the Sab menu the login page will load and allow you to login with everything working properly.

Edit:

Checking "x_frame_options ( on )" on or off doesn't seem change the behavior in any perceivable way. Also I leave the https option disabled since my reverse proxy server should be handling that part of it.
Hi, did you found a fix for this i have the same problems.
Behavior: <DOMAIN>sabnzdb. works with logging forms

Organizr, no page loading with xframe option disabled.
When i then logging to sabnzdb from a normale browser tab, and after authenticating i can refresh organizr and im logged in and it works.

Are more people experience this?
User avatar
safihre
Administrator
Administrator
Posts: 5523
Joined: April 30th, 2015, 7:35 am
Contact:

Re: 3.0.0RC2 - Issue with x_frame_options

Post by safihre »

Can you try 3.1.0Beta1? I made another changed that could help here.
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
IIIdefconIII
Newbie
Newbie
Posts: 4
Joined: September 8th, 2020, 7:27 am

Re: 3.0.0RC2 - Issue with x_frame_options

Post by IIIdefconIII »

I would but im using docker compose whih isnt gving me an update at the moment. Which source should i use?
User avatar
sander
Release Testers
Release Testers
Posts: 9070
Joined: January 22nd, 2008, 2:22 pm

Re: 3.0.0RC2 - Issue with x_frame_options

Post by sander »

IIIdefconIII wrote: September 8th, 2020, 9:57 am I would but im using docker compose whih isnt gving me an update at the moment. Which source should i use?
linuxserver sabnzbd unstable, as: "Pre-releases from their GitHub"
IIIdefconIII
Newbie
Newbie
Posts: 4
Joined: September 8th, 2020, 7:27 am

Re: 3.0.0RC2 - Issue with x_frame_options

Post by IIIdefconIII »

sander wrote: September 8th, 2020, 10:08 am
IIIdefconIII wrote: September 8th, 2020, 9:57 am I would but im using docker compose whih isnt gving me an update at the moment. Which source should i use?
linuxserver sabnzbd unstable, as: "Pre-releases from their GitHub"
yeah that did the trick, thanks

Image
IIIdefconIII
Newbie
Newbie
Posts: 4
Joined: September 8th, 2020, 7:27 am

Re: 3.0.0RC2 - Issue with x_frame_options

Post by IIIdefconIII »

What exactly did you changed if I may ask? Prometheus has the same issue. I can report the fix then to them :)
Post Reply