Joplin Server: Override X-Frame-Options in clickJackingHandler.ts

Hello,

I need the ability to override the X-Frame-Options: DENY directive.

This commit broke my ability to embed a note in an iFrame within my MagicMirror digital display.

I thought it was DNS at first, but this directive is causing the issue per the commit above.

If it's not possible to override this now or with a feature, what's the recommended patching approach so I can remove this security feature?

My server is behind a firewall, so this security feature is hobbling my ability to use Joplin effectively. I adopted the Joplin server specifically to share notes in this manner.

Thank you

There's no plan to support running the server within an iframe at this point, but I guess you could put a proxy in front of it (you probably already do), and rewrite or remove these specific headers.

Fair enough, thanks.

It was painful, but this is what finally worked within my container environment.

I'm guessing there is a cleaner way, but for those that run across this in the future, this does work.

I am using Synology with DSM 7.0.1-42218, so I used the Container Links feature from the Nginx container to set the alias so it can communicate with the Joplin container.

  1. Set up the nginx docker container and expose the 22300 port.
  2. Set a docker host alias for the Joplin container.
  3. Add this conf file to the conf.d directory.
    server {
        listen 22300 default;
        location / {
            proxy_set_header   X-Real-IP        $remote_addr;
            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
            #proxy_set_header   Host             $host;
            proxy_set_header   Host             '<Your APP_BASE_URL>';
            
            add_header X-Frame-Options "ALLOW-FROM http://<Your Frame Host>:<Your Frame Port>";
            proxy_hide_header Content-Security-Policy;
            add_header Content-Security-Policy "frame-ancestors http://<Your Frame Host>:<Your Frame Port>";

            proxy_pass http://<Your Joplin Contaner Host Alias>:22300/;
        }
    }
  1. Profit?!
1 Like