Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Embedding Coder Instance - CSP Frame Ancestor Issue #15118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gskolber opened this issue Oct 16, 2024 · 3 comments Β· Fixed by #15596
Closed

Embedding Coder Instance - CSP Frame Ancestor Issue #15118

gskolber opened this issue Oct 16, 2024 · 3 comments Β· Fixed by #15596
Assignees
@Emyrk
Labels
needs-triage Issue that require triage

Comments

@gskolber
Copy link

Hello!

We are currently using Coder in some of our tests. However, for our use case, we intend to embed the instance within our platform. Is it possible to achieve this today?

When attempting this, we encounter the following issue:

Refused to frame 'https://s6bk5npn0e4j8.pit-1.try.coder.app/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".

Is there any alternative or workaround for this?

Thanks in advance!
@coder-labeler coder-labeler bot added docs Area: coder.com/docs needs decision Needs a higher-level decision to be unblocked. labels Oct 16, 2024
@matifali matifali added needs-triage Issue that require triage and removed docs Area: coder.com/docs needs decision Needs a higher-level decision to be unblocked. labels Oct 17, 2024
@kylecarbs
Copy link
Member

cc @Emyrk resident CSP expert

@Emyrk Emyrk self-assigned this Oct 17, 2024
@Emyrk
Copy link
Member

Emyrk commented Oct 17, 2024

I will find some time to look into this.

This is where we currently configure our CSP policy:

coder/coderd/httpmw/csp.go

Line 48 in 512cbf1

func CSPHeaders(telemetry bool, websocketHosts func() []string) func(next http.Handler) http.Handler {

It sounds like we might need to add in some controls to configure a more open policy.

With all of these header style protections, a workaround is always there to put a reverse proxy infront of Coder to mutate the headers.

For the CSP in question, frame-ancestors the best solution will be to explictly list the parent website.

@gskolber I can't promise a solution at this very moment, but would a static configuration field to list the parent domain be enough? Meaning, is the root website that embeds Coder a static domain url that could be passed into Coder when you boot Coder? It would be loaded as an ENV var, flag, or something like that.

@gskolber
Copy link
Author

I believe that having the option to pass this field as a static value would indeed solve the problem and be quite straightforward to implement.

For now, we will use a reverse proxy to continue with the implementations on our side. Thank you very much for your attention.

@Emyrk Emyrk mentioned this issue Nov 19, 2024
Merged
@Emyrk Emyrk closed this as completed in 5b7fa78 Nov 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Emyrk Emyrk

Labels
needs-triage Issue that require triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: add deployment config option to append custom csp directives coder/coder
4 participants
@Emyrk @kylecarbs @matifali @gskolber