starred/mailpit
1
0
Fork 0
mirror of https://github.com/axllent/mailpit.git synced 2026-04-26 00:35:51 +03:00
Code Issues Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #23] Raw message tab is broken because of cross-origin access #20

New issue
Closed
opened 2026-03-15 12:08:10 +03:00 by kerem · 10 comments
kerem commented 2026-03-15 12:08:10 +03:00
Owner
Copy link

Originally created by @antonkomarev on GitHub (Nov 22, 2022).
Original GitHub issue: https://github.com/axllent/mailpit/issues/23

Loading «https://mailpit.example.com/api/v1/message/89db0f92-a94b-4e43-80f1-d25866d7e1e5/raw» in frame prohibited by directive «X-Frame-Options», setted as «DENY».
DOMException: Permission denied to access property "document" on cross-origin object

Firefox:
Screenshot 2022-11-22 at 15 39 36

Chrome:
2022-11-22 15 37 06

Originally created by @antonkomarev on GitHub (Nov 22, 2022). Original GitHub issue: https://github.com/axllent/mailpit/issues/23 Loading «https://mailpit.example.com/api/v1/message/89db0f92-a94b-4e43-80f1-d25866d7e1e5/raw» in frame prohibited by directive «X-Frame-Options», setted as «DENY». DOMException: Permission denied to access property "document" on cross-origin object Firefox: <img width="1440" alt="Screenshot 2022-11-22 at 15 39 36" src="https://user-images.githubusercontent.com/1849174/203305286-b81fcce0-259a-4859-98ac-1ae5fc6076d2.png"> Chrome: ![2022-11-22 15 37 06](https://user-images.githubusercontent.com/1849174/203304962-9783840a-8c80-4451-8abb-dcd141f198c4.jpg)
kerem closed this issue 2026-03-15 12:08:16 +03:00
kerem commented 2026-03-15 12:08:22 +03:00
Author
Owner
Copy link

@antonkomarev commented on GitHub (Nov 22, 2022):

In Firefox there is a button to open link in new tab (and it works), but in Chrome you are stuck on error message without any way to see raw content.

<!-- gh-comment-id:1323541206 --> @antonkomarev commented on GitHub (Nov 22, 2022): In Firefox there is a button to open link in new tab (and it works), but in Chrome you are stuck on error message without any way to see raw content.
kerem commented 2026-03-15 12:08:27 +03:00
Author
Owner
Copy link

@antonkomarev commented on GitHub (Nov 22, 2022):

It looks like raw messages should be opened on a new tab all the time.

<!-- gh-comment-id:1324092812 --> @antonkomarev commented on GitHub (Nov 22, 2022): It looks like raw messages should be opened on a new tab all the time.
kerem commented 2026-03-15 12:08:32 +03:00
Author
Owner
Copy link

@axllent commented on GitHub (Nov 22, 2022):

The raw messages comes from the same origin so is allowed by the permissions. It works fine in both Firefox and Chrome here. Are you sure it isn't the same issue you're having with your extensions you mentioned in #24 ?

<!-- gh-comment-id:1324111276 --> @axllent commented on GitHub (Nov 22, 2022): The raw messages comes from the same origin so is allowed by the permissions. It works fine in both Firefox and Chrome here. Are you sure it isn't the same issue you're having with your extensions you mentioned in #24 ?
kerem commented 2026-03-15 12:08:37 +03:00
Author
Owner
Copy link

@antonkomarev commented on GitHub (Nov 22, 2022):

Yes, I'm sure, we tested it on different browsers and machines. These screenshots are from different people

<!-- gh-comment-id:1324166337 --> @antonkomarev commented on GitHub (Nov 22, 2022): Yes, I'm sure, we tested it on different browsers and machines. These screenshots are from different people
kerem commented 2026-03-15 12:08:42 +03:00
Author
Owner
Copy link

@axllent commented on GitHub (Nov 23, 2022):

The HTTP server only sends the following header:

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self'; img-src * data: blob:; font-src 'self' data:; media-src 'self'; connect-src 'self' ws: wss:; object-src 'none'; base-uri 'self';

This says frame-src 'self'; meaning iframes can be loaded from the same domain as you are accessing Mailpit from, eg: https://mailpit.example.com/api/v1/message/89db0f92-a94b-4e43-80f1-d25866d7e1e5/raw should be allowed to load from https://mailpit.example.com/#89db0f92-a94b-4e43-80f1-d25866d7e1e5.

Your error message:

in frame prohibited by directive «X-Frame-Options», setted as «DENY».
DOMException: Permission denied to access property "document" on cross-origin object

seems to imply that X-Frame-Options is being set somewhere, but it's not, or rather not from Mailpit. Are you using some HTTP proxy to access Mailpit? I need more information from you:

  1. Are you using a proxy? If yes, then this probably is where your problem is as it appears it is adding additional security headers which is blocking the requests in your browser.
  2. If not, then please provide me more information:
    a) the Mailpit version you are running?
    b) how is it currently set up in your network?
    c) I would like to see the browser's response headers from the Mialpit server (from the landing page, eg : https://mailpit.example.com/).
<!-- gh-comment-id:1324405133 --> @axllent commented on GitHub (Nov 23, 2022): The HTTP server only sends the following header: ``` Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self'; img-src * data: blob:; font-src 'self' data:; media-src 'self'; connect-src 'self' ws: wss:; object-src 'none'; base-uri 'self'; ``` This says `frame-src 'self';` meaning iframes can be loaded from the same domain as you are accessing Mailpit from, eg: `https://mailpit.example.com/api/v1/message/89db0f92-a94b-4e43-80f1-d25866d7e1e5/raw` should be allowed to load from `https://mailpit.example.com/#89db0f92-a94b-4e43-80f1-d25866d7e1e5`. Your error message: ``` in frame prohibited by directive «X-Frame-Options», setted as «DENY». DOMException: Permission denied to access property "document" on cross-origin object ``` seems to imply that `X-Frame-Options` is being set somewhere, but it's not, or rather not from Mailpit. Are you using some HTTP proxy to access Mailpit? I need more information from you: 1. Are you using a proxy? If yes, then this probably is where your problem is as it appears it is adding additional security headers which is blocking the requests in your browser. 2. If not, then please provide me more information: a) the Mailpit version you are running? b) how is it currently set up in your network? c) I would like to see the browser's response headers from the Mialpit server (from the landing page, eg : `https://mailpit.example.com/`).
kerem commented 2026-03-15 12:08:47 +03:00
Author
Owner
Copy link

@antonkomarev commented on GitHub (Nov 29, 2022):

Mailpit 1.2.9

Response headers:

HTTP/2 200 OK
server: nginx/1.23.2
date: Tue, 29 Nov 2022 09:55:43 GMT
content-type: text/html; charset=utf-8
content-length: 359
accept-ranges: bytes
content-encoding: gzip
content-security-policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self'; img-src * data: blob:; font-src 'self' data:; media-src 'self'; connect-src 'self' ws: wss:; object-src 'none'; base-uri 'self';
referrer-policy: no-referrer
x-frame-options: DENY
x-xss-protection: 1; mode=block
X-Firefox-Spdy: h2
<!-- gh-comment-id:1330368528 --> @antonkomarev commented on GitHub (Nov 29, 2022): Mailpit 1.2.9 Response headers: ``` HTTP/2 200 OK server: nginx/1.23.2 date: Tue, 29 Nov 2022 09:55:43 GMT content-type: text/html; charset=utf-8 content-length: 359 accept-ranges: bytes content-encoding: gzip content-security-policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self'; img-src * data: blob:; font-src 'self' data:; media-src 'self'; connect-src 'self' ws: wss:; object-src 'none'; base-uri 'self'; referrer-policy: no-referrer x-frame-options: DENY x-xss-protection: 1; mode=block X-Firefox-Spdy: h2 ```
kerem commented 2026-03-15 12:08:52 +03:00
Author
Owner
Copy link

@antonkomarev commented on GitHub (Nov 29, 2022):

Mailpit is hidden behind nginx proxy

location ~ /api/events {
      proxy_pass http://mailpit-01-backend;
      proxy_set_header      Host $host;
      # websocket support
      proxy_http_version    1.1;
      proxy_set_header      Upgrade $http_upgrade;
      proxy_set_header      Connection "Upgrade";
      proxy_read_timeout    86400;
}

location / {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_pass http://mailpit-01-backend;
      proxy_connect_timeout       120;
      proxy_send_timeout          120;
      proxy_read_timeout          120;
      send_timeout                120;
}

And we have global security policy:

add_header X-Frame-Options "DENY";
<!-- gh-comment-id:1330369923 --> @antonkomarev commented on GitHub (Nov 29, 2022): Mailpit is hidden behind nginx proxy ``` location ~ /api/events { proxy_pass http://mailpit-01-backend; proxy_set_header Host $host; # websocket support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_read_timeout 86400; } location / { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://mailpit-01-backend; proxy_connect_timeout 120; proxy_send_timeout 120; proxy_read_timeout 120; send_timeout 120; } ``` And we have global security policy: ``` add_header X-Frame-Options "DENY"; ```
kerem commented 2026-03-15 12:08:57 +03:00
Author
Owner
Copy link

@axllent commented on GitHub (Nov 29, 2022):

I believe you have answered your own question. Your global policy (X-Frame-Options "DENY";) is what is blocking any iframe from loading anywhere. Mailpit requires an iframe to render the email HTML and raw email, and does it not require (or use) cross-origin to do so (it loads from the same host/domain). This isn't a limitation or anything broken in Mailpit, but an enforced limitation in your global policy, so there isn't anything i can do about it unfortunately. You will need to relax your policy to at least be able to load iframes from the same host.

<!-- gh-comment-id:1331417086 --> @axllent commented on GitHub (Nov 29, 2022): I believe you have answered your own question. Your global policy (`X-Frame-Options "DENY";`) is what is blocking **any** iframe from loading anywhere. Mailpit requires an iframe to render the email HTML and raw email, and does it not require (or use) cross-origin to do so (it loads from the same host/domain). This isn't a limitation or anything broken in Mailpit, but an enforced limitation in your global policy, so there isn't anything i can do about it unfortunately. You will need to relax your policy to at least be able to load iframes from the same host.
kerem commented 2026-03-15 12:09:02 +03:00
Author
Owner
Copy link

@antonkomarev commented on GitHub (Nov 30, 2022):

Sent this thread to our devops team, will return with feedback.

<!-- gh-comment-id:1331805951 --> @antonkomarev commented on GitHub (Nov 30, 2022): Sent this thread to our devops team, will return with feedback.
kerem commented 2026-03-15 12:09:07 +03:00
Author
Owner
Copy link

@antonkomarev commented on GitHub (Nov 30, 2022):

Fixed by changing

add_header X-Frame-Options "DENY";

to

add_header X-Frame-Options "SAMEORIGIN";
<!-- gh-comment-id:1331868680 --> @antonkomarev commented on GitHub (Nov 30, 2022): Fixed by changing ``` add_header X-Frame-Options "DENY"; ``` to ``` add_header X-Frame-Options "SAMEORIGIN"; ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
master
v1.29.7
v1.29.6
v1.29.5
v1.29.4
v1.29.3
v1.29.2
v1.29.1
v1.29.0
v1.28.4
v1.28.3
v1.28.2
v1.28.1
v1.28.0
v1.27.11
v1.27.10
v1.27.9
v1.27.8
v1.27.7
v1.27.6
v1.27.5
v1.27.4
v1.27.3
v1.27.2
v1.27.1
v1.27.0
v1.26.2
v1.26.1
v1.26.0
v1.25.1
v1.25.0
v1.24.2
v1.24.1
v1.24.0
v1.23.2
v1.23.1
v1.23.0
v1.22.3
v1.22.2
v1.22.1
v1.22.0
v1.21.8
v1.21.7
v1.21.6
v1.21.5
v1.21.4
v1.21.3
v1.21.2
v1.21.1
v1.21.0
v1.20.7
v1.20.6
v1.20.5
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.3
v1.19.2
v1.19.1
v1.19.0
v1.18.7
v1.18.6
v1.18.5
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.1
v1.17.0
v1.16.0
v1.15.1
v1.15.0
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.1
v1.12.0
v1.11.1
v1.11.0
v1.10.4
v1.10.3
v1.10.2
v1.10.1
v1.10.0
v1.9.10
v1.9.9
v1.9.8
v1.9.7
v1.9.6
v1.9.5
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.8.4
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.7.1
v1.7.0
v1.6.22
v1.6.21
v1.6.20
v1.6.19
v1.6.18
v1.6.17
v1.6.16
v1.6.15
v1.6.14
v1.6.13
v1.6.12
v1.6.11
v1.6.10
v1.6.9
v1.6.8
v1.6.7
v1.6.6
v1.6.5
v1.6.4
v1.6.3
v1.6.2
v1.6.1
v1.6.0
v1.5.5
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.0
v1.3.11
v1.3.10
v1.3.9
v1.3.8
v1.3.7
v1.3.6
v1.3.5
v1.3.4
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.2.9
v1.2.8
v1.2.7
v1.2.6
1.2.5
1.2.4
1.2.3
1.2.2
1.2.1
1.2.0
1.1.7
1.1.6
1.1.5
1.1.4
1.1.3
1.1.2
1.1.1
1.1.0
1.0.0
1.0.0-beta1
0.1.5
0.1.4
0.1.3
0.1.2
0.1.1
0.1.0
0.0.9
0.0.8
0.0.7
0.0.6
0.0.5
0.0.4
0.0.3
0.0.2
0.0.1-beta
Labels
Clear labels   
awaiting feedback

   
bug

   
docker

   
documentation

   
enhancement

   
github_actions

   
invalid

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
wontfix
No labels
awaiting feedback
bug
docker
documentation
enhancement
github_actions
invalid
pull-request
question
stale
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/mailpit#20
No description provided.