3.0.0RC2 - Issue with x_frame_options
Forum rules
Help us help you:
Help us help you:
- Tell us what system you run SABnzbd on.
- Adhere to the forum rules.
- Do you experience problems during downloading?
Check your connection in Status and Interface settings window.
Use Test Server in Config > Servers.
We will probably ask you to do a test using only basic settings. - Do you experience problems during repair or unpacking?
Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
3.0.0RC2 - Issue with x_frame_options
So I recently upgraded to 3.0.0RC2 and have been having issues with using Organizr and displaying SABNzbd in an iframe. It was working fine before with the standard release version. I am able to load the login site through an iframe but entering my username/password on the sabnzbd interface and pressing login does nothing.
I checked the special config and it shows x_frame_options ( on ) with an asterisk next to it. This is with the box unchecked. I'm not sure what else might have changed as everything was working fine before upgrading to the RC.
I have tried clicking it on and restarting the server, then clicking it off and restarting the server, but either way it continues to say on regardless of being checked or not checked.
Any suggestions/advice would be most welcome.
I checked the special config and it shows x_frame_options ( on ) with an asterisk next to it. This is with the box unchecked. I'm not sure what else might have changed as everything was working fine before upgrading to the RC.
I have tried clicking it on and restarting the server, then clicking it off and restarting the server, but either way it continues to say on regardless of being checked or not checked.
Any suggestions/advice would be most welcome.
Re: 3.0.0RC2 - Issue with x_frame_options
Well I just reinstalled the standard release and am noting the xframe stuff looks the same (unchecked but says on with an asterick).
However, everything is working correctly now in iframe.
I also noticed that the reverse proxy wasn't working correctly on 3.0.0RC2, it was redirecting to the local lan IP in http.
Installing the standard release fixed all the issues.
However, everything is working correctly now in iframe.
I also noticed that the reverse proxy wasn't working correctly on 3.0.0RC2, it was redirecting to the local lan IP in http.
Installing the standard release fixed all the issues.
Re: 3.0.0RC2 - Issue with x_frame_options
We'll need your help to fix this, so you'll need to reinstall RC2
For the login problem: can you check the browser console (right click anywhere on the page and select Inspect Element, then select Console). What does it show after you try to login?
With the reverse proxy, what URL are you on? What URL should it redirect to? And which URL is it wrongly directing you?
For the login problem: can you check the browser console (right click anywhere on the page and select Inspect Element, then select Console). What does it show after you try to login?
With the reverse proxy, what URL are you on? What URL should it redirect to? And which URL is it wrongly directing you?
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
Re: 3.0.0RC2 - Issue with x_frame_options
I just tested and the behavior of x_frame_options didn't change. If it's disabled, no "X-Frame-Options: SameOrigin" is send anymore.
So it seems we have to investigate a bit more what is going wrong.
So it seems we have to investigate a bit more what is going wrong.
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
Re: 3.0.0RC2 - Issue with x_frame_options
I just moved over to Sab 3.0RC2 from another app and ran into the same/similar issue in Organizr. I setup Organizr with "/name-of-app" in the tab url section of the settings. This normally works with all my apps no matter if i access it on the local domain or over my FQDN. Now with SAB this will not work over my FQDN, i get a mixed content error:
Mixed Content: The page at 'https://mydomain/#sabnzbd' was loaded over HTTPS, but requested an insecure frame 'http://mydomain/sabnzbd/'. This request has been blocked; the content must be served over HTTPS.
For some reason it defaults back to http when being setup in Organizr using "/sabnzbd" . If you specifically set Organizr's tab url to "https://mydomain/sabnzbd/" it will load properly.
Not sure if this is the same issue as the original poster but is what i am encountering.
Mixed Content: The page at 'https://mydomain/#sabnzbd' was loaded over HTTPS, but requested an insecure frame 'http://mydomain/sabnzbd/'. This request has been blocked; the content must be served over HTTPS.
For some reason it defaults back to http when being setup in Organizr using "/sabnzbd" . If you specifically set Organizr's tab url to "https://mydomain/sabnzbd/" it will load properly.
Not sure if this is the same issue as the original poster but is what i am encountering.
Re: 3.0.0RC2 - Issue with x_frame_options
So the redirect to HTTP happens after you try to login in SABnzbd?
What do you have set in the SABnzbd settings? HTTPS enabled?
What do you have set in the SABnzbd settings? HTTPS enabled?
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
Re: 3.0.0RC2 - Issue with x_frame_options
The redirect happens when you click on the Sab menu in Organizr, so for me the login page never loads because of the mixed content error.
If you hardcode the https url into Organizr's tab settings and click the Sab menu the login page will load and allow you to login with everything working properly.
Edit:
Checking "x_frame_options ( on )" on or off doesn't seem change the behavior in any perceivable way. Also I leave the https option disabled since my reverse proxy server should be handling that part of it.
If you hardcode the https url into Organizr's tab settings and click the Sab menu the login page will load and allow you to login with everything working properly.
Edit:
Checking "x_frame_options ( on )" on or off doesn't seem change the behavior in any perceivable way. Also I leave the https option disabled since my reverse proxy server should be handling that part of it.
Re: 3.0.0RC2 - Issue with x_frame_options
Hmmm, not sure how to test this. I don't have a setup like this at home. Its strange because I specifically removed any http(S) things when doing redirects.
Could you inspect if this is happening in the browser network-tab? When you click SABnzbn in Organizer, is SAB redirecting you from httpS to http?
Could you inspect if this is happening in the browser network-tab? When you click SABnzbn in Organizer, is SAB redirecting you from httpS to http?
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
Re: 3.0.0RC2 - Issue with x_frame_options
General
Request URL: https://mydomain /sabnzbd
Referrer Policy: strict-origin-when-cross-origin
Response Headers
Request URL: https://mydomain /sabnzbd
Referrer Policy: strict-origin-when-cross-origin
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
cf-cache-status: DYNAMIC
cf-ray:
cf-request-id:
content-type: text/html;charset=utf-8
date: Tue, 04 Aug 2020 19:42:53 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare "
location: http://mydomain /sabnzbd/
server: cloudflare
status: 301
strict-transport-security: max-age=31536000;
vary: Accept-Encoding
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
Request Headers
:authority: mydomain
:method: GET
:path: /sabnzbd
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __cfduid=
dnt: 1
referer: https://mydomain /dash/
sec-fetch-dest: iframe
sec-fetch-mode: navigate
sec-fetch-site: same-origin
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.48 Safari/537.36
Not sure if this helps but seems like Sab's location is thought to be http in the response header and that's where the issue is arising. Board wouldn't allow me to post links so had to monkey with the uri's.
Request URL: https://mydomain /sabnzbd
Referrer Policy: strict-origin-when-cross-origin
Response Headers
Request URL: https://mydomain /sabnzbd
Referrer Policy: strict-origin-when-cross-origin
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
cf-cache-status: DYNAMIC
cf-ray:
cf-request-id:
content-type: text/html;charset=utf-8
date: Tue, 04 Aug 2020 19:42:53 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare "
location: http://mydomain /sabnzbd/
server: cloudflare
status: 301
strict-transport-security: max-age=31536000;
vary: Accept-Encoding
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
Request Headers
:authority: mydomain
:method: GET
:path: /sabnzbd
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __cfduid=
dnt: 1
referer: https://mydomain /dash/
sec-fetch-dest: iframe
sec-fetch-mode: navigate
sec-fetch-site: same-origin
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.48 Safari/537.36
Not sure if this helps but seems like Sab's location is thought to be http in the response header and that's where the issue is arising. Board wouldn't allow me to post links so had to monkey with the uri's.
-
- Newbie
- Posts: 4
- Joined: September 8th, 2020, 7:27 am
Re: 3.0.0RC2 - Issue with x_frame_options
Hi, did you found a fix for this i have the same problems.Star11 wrote: ↑August 3rd, 2020, 1:01 am The redirect happens when you click on the Sab menu in Organizr, so for me the login page never loads because of the mixed content error.
If you hardcode the https url into Organizr's tab settings and click the Sab menu the login page will load and allow you to login with everything working properly.
Edit:
Checking "x_frame_options ( on )" on or off doesn't seem change the behavior in any perceivable way. Also I leave the https option disabled since my reverse proxy server should be handling that part of it.
Behavior: <DOMAIN>sabnzdb. works with logging forms
Organizr, no page loading with xframe option disabled.
When i then logging to sabnzdb from a normale browser tab, and after authenticating i can refresh organizr and im logged in and it works.
Are more people experience this?
Re: 3.0.0RC2 - Issue with x_frame_options
Can you try 3.1.0Beta1? I made another changed that could help here.
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
-
- Newbie
- Posts: 4
- Joined: September 8th, 2020, 7:27 am
Re: 3.0.0RC2 - Issue with x_frame_options
I would but im using docker compose whih isnt gving me an update at the moment. Which source should i use?
Re: 3.0.0RC2 - Issue with x_frame_options
linuxserver sabnzbd unstable, as: "Pre-releases from their GitHub"IIIdefconIII wrote: ↑September 8th, 2020, 9:57 am I would but im using docker compose whih isnt gving me an update at the moment. Which source should i use?
-
- Newbie
- Posts: 4
- Joined: September 8th, 2020, 7:27 am
Re: 3.0.0RC2 - Issue with x_frame_options
yeah that did the trick, thankssander wrote: ↑September 8th, 2020, 10:08 amlinuxserver sabnzbd unstable, as: "Pre-releases from their GitHub"IIIdefconIII wrote: ↑September 8th, 2020, 9:57 am I would but im using docker compose whih isnt gving me an update at the moment. Which source should i use?
-
- Newbie
- Posts: 4
- Joined: September 8th, 2020, 7:27 am
Re: 3.0.0RC2 - Issue with x_frame_options
What exactly did you changed if I may ask? Prometheus has the same issue. I can report the fix then to them