0

We are developing a kiosk software based on ubuntu 14.04 running on a touchscreen hardware (info stele) , currently there is an Apache Webserver running and serving our kiosk web app locally at https://smartbox.localhost

Now we want our app to display foreign websites in an iframe which fails since they send the X-Frame-Options Deny/Same-Origin headers.

As I see, the most reasonable solution to this scenario would be to setup a reverse proxy server, something like I found here but I just don't know exactly what to do with it (I have no experience with configuring nginx until now)

Would that mean to run nginx in parallel to the Apache? Would our App then be served by Apach on another Port (It is crucial that we use HTTPS btw) and have nginx listen on Port 80/443? Where would I put that snippet? In /etc/nginx/nginx.conf? Or somewhere in /etc/nginx/sites-available/?

I would be very grateful if someone could give a little more in-depth "how-it-works" and "what-to-do"

Thanks a lot in advance!

hannenz
  • 503
  • 4
  • 14
  • The most reasonable solution would IMHO be to _respect_ those site’s wishes, and not display them in (i)frames. Various sites use this not only for vanity reasons, but also under security aspects – f.e. that users can check the address bar when logging in to a service, to decrease the risk of phishing – and that is not something you should undermine. If at all possible, open those site in a top window instance. – CBroe Aug 25 '16 at 12:37
  • Thanks for your comment. I would totally agree and like to respect the "site's wishes", but the very same client running the website(s) asks us to display their website on the info stele (not knowing about the technical details though) :-) Opening the website a top window instance is not an option since then there is "no way back" to our kiosk app – hannenz Aug 25 '16 at 12:54
  • Well then it would certainly make more sense if the clients modified their sites accordingly. Depending on what browser your kiosk app uses, specifying domains that are allowed to embed the site via ALLOW-FROM would be the easiest fix. If the browser doesn’t support that yet, then perhaps it could be done via an additional “secret” GET parameter, request header or something, that makes the site change its behavior in regard to whether it sends the X-Frame-Options header or not. – CBroe Aug 25 '16 at 13:26
  • That sounds interesting, we are using latest chromium (Chromium 51.0.2704.79 Ubuntu 14.04) Would this work with a "local domain" (we are using https://smartbox.localhost as domain)? – hannenz Aug 25 '16 at 14:25
  • Sorry, Chrome is listed as having only “partial support” (meaning not supporting ALLOW-FROM) on http://caniuse.com/#feat=x-frame-options But perhaps a simple extension would do then? Have a look at [Ignore X-Frame headers](https://chrome.google.com/webstore/detail/ignore-x-frame-headers/gleekbfjekiniecknbkamfmkohkpodhe) - “Drops X-Frame-Options and Content-Security-Policy HTTP response headers, allowing all pages to be iframed.” – that could perhaps be the easiest and cheapest solution here …? – CBroe Aug 25 '16 at 14:28
  • Thanks, I've tried the extensions before, they all seem to be "blocked" in the meantime, chromium says `UFS-Website.html:59 Uncaught SecurityError: Blocked a frame with origin "https://localhost:3000" from accessing a frame with origin "https://www.unileverfoodsolutions.de". Protocols, domains, and ports must match.` – hannenz Aug 25 '16 at 14:34
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/121891/discussion-between-hannenz-and-cbroe). – hannenz Aug 26 '16 at 06:24

0 Answers0