Help save net neutrality! Learn more.
Close

#418 Framed login to user account fails by X-Frame-Options

1.530
closed-fixed
nobody
None
5
2012-12-18
2012-12-17
JamieM
No

Logging into Usermin as a user from Webmin Fails in Firefox 18 beta, which implements X-Frame-Options.

When clicking from Webmin 1.610 into Users and Groups, then clicking a User and choosing "Login to Usermin" at the bottom, the right-hand frame displays a blank page in Firefox 18 beta.

Looking at the Console in Firebug:
"Load denied by X-Frame-Options: https://mysite.com:21001/ does not permit cross-origin framing."

The Webmin site is located at https://mysite.com:10666/ which is not the same Origin as the Usermin site because it's on a different Port number.

I noticed in the Webmin source that this seems to be set here at line 749:
https://github.com/webmin/webmin/blob/master/web-lib-funcs.pl
(I believe the Usermin source references the same file)

print "X-Frame-Options: SAMEORIGIN\n";

Could this be set to the Url of the Webmin server, either somewhere in the settings of Usermin, or automagically?
print "X-Frame-Options: ALLOW-FROM WEBMINURI\n";

The technical notes from Mozilla are here:
https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

Discussion

  • Jamie Cameron

    Jamie Cameron - 2012-12-18

    Thanks for pointing this out - I will fix this in the next Webmin release by making the usermin login happen in a separate window.

     
  • Jamie Cameron

    Jamie Cameron - 2012-12-18
    • status: open --> closed-fixed
     
  • JamieM

    JamieM - 2012-12-18

    Thanks for looking into it.

    As a workaround right now, I can still open a new tab/window and paste the Usermin address in.

    The logon for the user will still be valid despite the Frame attempt opening being thwarted by the Frame policy.

     

Log in to post a comment.