diff --git a/docker/nginx.conf b/docker/nginx.conf index 5dde75d3..38e8cd18 100644 --- a/docker/nginx.conf +++ b/docker/nginx.conf @@ -23,13 +23,15 @@ http { listen ${PORT}; server_name localhost; - add_header X-Frame-Options DENY always; + # X-Frame-Options removed to allow Electron iframe embedding + # add_header X-Frame-Options DENY always; add_header X-Content-Type-Options nosniff always; add_header X-XSS-Protection "1; mode=block" always; location / { root /usr/share/nginx/html; index index.html index.htm; + try_files $uri $uri/ /index.html; } location ~* \.map$ { diff --git a/electron/main.cjs b/electron/main.cjs index b8a3853d..d28a9fc5 100644 --- a/electron/main.cjs +++ b/electron/main.cjs @@ -64,6 +64,41 @@ function createWindow() { mainWindow.loadFile(indexPath); } + // Allow iframes to load from any origin by removing X-Frame-Options headers + mainWindow.webContents.session.webRequest.onHeadersReceived( + (details, callback) => { + const headers = details.responseHeaders; + + // Remove headers that block iframe embedding + if (headers) { + delete headers["x-frame-options"]; + delete headers["X-Frame-Options"]; + + // Modify CSP to allow framing + if (headers["content-security-policy"]) { + headers["content-security-policy"] = headers["content-security-policy"] + .map(value => value.replace(/frame-ancestors[^;]*/gi, '')) + .filter(value => value.trim().length > 0); + + if (headers["content-security-policy"].length === 0) { + delete headers["content-security-policy"]; + } + } + if (headers["Content-Security-Policy"]) { + headers["Content-Security-Policy"] = headers["Content-Security-Policy"] + .map(value => value.replace(/frame-ancestors[^;]*/gi, '')) + .filter(value => value.trim().length > 0); + + if (headers["Content-Security-Policy"].length === 0) { + delete headers["Content-Security-Policy"]; + } + } + } + + callback({ responseHeaders: headers }); + } + ); + mainWindow.once("ready-to-show", () => { mainWindow.show(); }); diff --git a/src/ui/Desktop/Authentication/ElectronLoginForm.tsx b/src/ui/Desktop/Authentication/ElectronLoginForm.tsx index 005241c1..3708de06 100644 --- a/src/ui/Desktop/Authentication/ElectronLoginForm.tsx +++ b/src/ui/Desktop/Authentication/ElectronLoginForm.tsx @@ -326,8 +326,8 @@ export function ElectronLoginForm({ src={serverUrl} className="w-full h-full border-0" title="Server Authentication" - sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-popups-to-escape-sandbox allow-storage-access-by-user-activation allow-top-navigation allow-top-navigation-by-user-activation" - allow="clipboard-read; clipboard-write; cross-origin-isolated" + sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-popups-to-escape-sandbox allow-storage-access-by-user-activation allow-top-navigation allow-top-navigation-by-user-activation allow-modals allow-downloads" + allow="clipboard-read; clipboard-write; cross-origin-isolated; camera; microphone; geolocation" />