June 20, 20224 yr Hi I am trying to bed my Unraid WebUi as a tab in Home Assistant. This worked perfectly on my LAN with UnRaid version 6.9 but since upgrading to version 6.10 it seems like the web server now sets the x-frame-options header to 'sameorigin'. Is there a way I can update this? Thanks in advance!
October 28, 20223 yr On 6/21/2022 at 4:47 PM, Squid said: Not without modifying the code yourself coming a little late to the party but.. would that be able with a plugin/startup script?
January 7, 20242 yr I've had this issue too. I'm using HomeAssistant LoveLace dashboard where I use iFrames for my other web interfaces. For future reference: - SSH to your Unraid server - Open /etc/nginx/nginx.conf with vi or nano - Go to the bottom to find add_header Content-Security-Policy "frame-ancestors 'self' https://connect.myunraid.net/" - Edit to your liking (example): add_header Content-Security-Policy "frame-ancestors 'self' https://connect.myunraid.net/ https://ha.mydomain.net" After editing you need to reload the web service of unraid: /etc/rc.d/rc.nginx reload Extra: If you run a reverse proxy and/or 2FA service in your iframe you need to include these too. It is allowed to add IP addresses. As an example: add_header Content-Security-Policy "frame-ancestors 'self' https://connect.myunraid.net/ https://ha.mydomain.net 192.168.1.1 172.30.0.2" Dropdown: - Default: https://connect.myunraid.net/ - Where the iframe is used: https://ha.mydomain.net - Reverse proxy: 192.168.1.1 - 2FA url 172.30.0.2 Edited January 7, 20242 yr by renedis1
April 9, 20242 yr I have been struggling getting this to work to load unraid in an iframe in Organizr. The instructions above was half the battle, the other half was to add the following in chrome: Open: chrome://flags/#unsafely-treat-insecure-origin-as-secure and add https://tower.mydomain.com to the list of insecure sites to allow then change the setting to enable and relaunch chrome. I don't know why organizr is trying to load http instead of https but this at least allows things to work the way I need! Edited April 18, 20242 yr by toyanucci
April 18, 20242 yr I've made further progress and found we no longer need to set that chrome flag to get this to work. We just need to add https://organizr.yourdomain.com (url you use to access organizr outside of your network) to /etc/nginx/nginx.conf and in organizr we need to add https://tower.yourdomain.com/Dashboard as the tab url for unRAID and the iframe will work!
September 3, 20241 yr my workaround is to do this in an array startup userscript just replace `YOURDOMAINHERE` and you should be good #!/bin/bash # Path to the nginx.conf file NGINX_CONF="/etc/nginx/nginx.conf" # New Content-Security-Policy directive NEW_CSP="add_header Content-Security-Policy \"frame-ancestors 'self' https://connect.myunraid.net/ https://*.YOURDOMAINHERE\";" # Use sed to replace the line sed -i.bak "/add_header Content-Security-Policy/c\\ $NEW_CSP " $NGINX_CONF # Restart Nginx to apply changes nginx -s reload echo "Content-Security-Policy directive updated and Nginx reloaded." Edited September 3, 20241 yr by phyzical
April 18Apr 18 On 9/3/2024 at 2:06 PM, phyzical said:my workaround is to do this in an array startup userscript just replace `YOURDOMAINHERE` and you should be good #!/bin/bash # Path to the nginx.conf file NGINX_CONF="/etc/nginx/nginx.conf" # New Content-Security-Policy directive NEW_CSP="add_header Content-Security-Policy \"frame-ancestors 'self' https://connect.myunraid.net/ https://*.YOURDOMAINHERE\";" # Use sed to replace the line sed -i.bak "/add_header Content-Security-Policy/c\\ $NEW_CSP " $NGINX_CONF # Restart Nginx to apply changes nginx -s reload echo "Content-Security-Policy directive updated and Nginx reloaded." Small note to the script for anyone looking at this in 2026: The conf file which should be modified is now at (at least for me):/etc/nginx/conf.d/servers.conf
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.