[BUG] WebGUI not displayed in iframe anymore

[Beelzebob6666]

Description

I am using a private monitoring website to aggregate the ProxMenux Title Bars from different Proxmox machines in iframes on a single overview page, together with other availability checks.

Since the most recent versions (1.2.2, newer 1.2.1) the iframes are blocked - probably due to CORS policy enforcement.

Steps to Reproduce

1. create a website with an <iframe src="http://IPADDRESS:8008" ></iframe>
2. call the website

Expected Behavior

What should happen?
The iframe should display the ProxMenux WebUI.

Screenshots (Required)

• top one (Primus) still running an older version - is accessible via iframe
• bottom one (Sekundus) is running newer version - is not accessible via iframe

Environment

• Operating system: Proxmox 9.2.3
• Software version: 1.2.2
• Other relevant details:

Additional Information

The change probably was intentional with security in mind, but it borked at least my use case. It would be great, if there was an option to disable the cors enforcement.

[MacRimi]

Hi @Beelzebob6666!

Thanks a lot for the detailed report and the screenshots — really helpful!
You're right that the recent versions tightened things up on the security side, but the part actually blocking your iframes is most likely not CORS — it's the X-Frame-Options and/or Content-Security-Policy: frame-ancestors headers we added to stop the WebUI from being embedded by untrusted sites (clickjacking protection). CORS handles cross-origin data requests, while iframe embedding is controlled by those framing headers — easy to mix up since the symptom looks similar.

I don't think we need to choose between "secure" and "embeddable" though. Instead of a switch that just turns the protection off completely, I'd rather let you whitelist the origins you trust. So I'm thinking about adding an option in an upcoming version where you can list your allowed parent origins, something like:

ALLOWED_FRAME_ANCESTORS=https://your-monitoring-site.example

With that set, ProxMenux would send Content-Security-Policy: frame-ancestors (and drop the conflicting X-Frame-Options) so your dashboard can embed it while everyone else stays protected by default. Leaving it empty keeps the current locked-down behavior.

I'll probably push it to a beta first so you can test it before it lands in the final release.
A couple of quick questions to make sure I get it right:

Is your monitoring page served over HTTPS or HTTP? (a https parent embedding an http://IP:8008 child can trigger separate mixed-content blocking)
Are you embedding from a single fixed origin, or several?

Thanks again for taking the time to report!

[Beelzebob6666]

Hi @MacRimi and thanks for the quick reply,

The website is http only and is hosted on a raspberryPi.
The raspberryPi accesses it itself via "\localhost" to display the page on a monitor in the server rack. Other clients in the network access it via url (redirected via unbound to the PIs IP).

[MacRimi]

Perfect, thanks for the details! Since it's all HTTP within your local network, that keeps things simpler — no mixed-content issues to worry about.
I'll think through the best way to implement it and let you know once there's a beta ready to test. Thanks again!