[GH-ISSUE #1183] How to set per domain options to allow to put something in an iframe #967

New issue

Closed

opened 2026-02-26 06:35:15 +03:00 by kerem · 3 comments

kerem commented 2026-02-26 06:35:15 +03:00

Owner

Copy link

Originally created by @erikthegamer1242 on GitHub (Jun 17, 2021).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1183

Sorry for being dumb, but how can I edit the configs per domain to set X frames to allowall because I can't log in to some sites(local WebUIs) to put them in an iframe. Or at least be able to tell the nginx that it can allowall from my webserver where the iframes are served

Originally created by @erikthegamer1242 on GitHub (Jun 17, 2021). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1183 Sorry for being dumb, but how can I edit the configs per domain to set X frames to allowall because I can't log in to some sites(local WebUIs) to put them in an iframe. Or at least be able to tell the nginx that it can allowall from my webserver where the iframes are served

kerem closed this issue 2026-02-26 06:35:15 +03:00

kerem commented 2026-02-26 06:35:15 +03:00

Author

Owner

Copy link

@chaptergy commented on GitHub (Jun 18, 2021):

One additional thing: For some browsers the X-Frame-Options header is not sufficient, you will need the Content-Security-Policy header.

Two options:

1. Use the advanced tab. Add something like the following:

   location / {
     # Force SSL
     include conf.d/include/force-ssl.conf;
     # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
     add_header Strict-Transport-Security "max-age=63072000;includeSubDomains; preload" always;
     add_header X-Frame-Options "ALLOW-FROM www.domain.com";
     add_header Content-Security-Policy "frame-ancestors www.domain.com";
     # Proxy!
     include conf.d/include/proxy.conf;
   }
   

   This however prevents you from using the toggles with HSTS and such on the main page and ssl page, so you would have to add those headers manually, as is already included in the above snippet.

2. Add a custom location for this, where you repeat hostname and port of where you want to redirect, click on the cog and add the add_header commands there. However this also prevents the toggle values from being used, as in 1., so make sure you add every header you need (e.g. HSTS) as in 1.
   

<!-- gh-comment-id:863851727 --> @chaptergy commented on GitHub (Jun 18, 2021): One additional thing: For some browsers the `X-Frame-Options` header is not sufficient, you will need the [`Content-Security-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) header. Two options: 1. Use the advanced tab. Add something like the following: ```nginx location / { # Force SSL include conf.d/include/force-ssl.conf; # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) add_header Strict-Transport-Security "max-age=63072000;includeSubDomains; preload" always; add_header X-Frame-Options "ALLOW-FROM www.domain.com"; add_header Content-Security-Policy "frame-ancestors www.domain.com"; # Proxy! include conf.d/include/proxy.conf; } ``` This however prevents you from using the toggles with `HSTS` and such on the main page and ssl page, so you would have to add those headers manually, as is already included in the above snippet. 2. Add a custom location for this, where you repeat hostname and port of where you want to redirect, click on the cog and add the `add_header` commands there. However this also prevents the toggle values from being used, as in 1., so make sure you add every header you need (e.g. `HSTS`) as in 1. 

kerem commented 2026-02-26 06:35:15 +03:00

Author

Owner

Copy link

@Tobstr02 commented on GitHub (May 4, 2023):

Got this problem again here in 2023.
Version v2.9.19

I tried to fix it with the 2 options above from @chaptergy, but it didn't changed anything.
The new header will be sent out, but as an 2nd content-policy header. So the first one with frame-src 'self' etc. will be used from my browser:

HTTP/2 200 OK
server: openresty
date: Thu, 04 May 2023 22:33:39 GMT
content-type: text/html;charset=utf-8
referrer-policy: no-referrer
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=31536000; includeSubDomains
x-robots-tag: none
cache-control: no-cache
x-content-type-options: nosniff
content-security-policy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
x-xss-protection: 1; mode=block
content-language: en
x-frame-options: ALLOW-FROM ###mydomain###
content-security-policy: frame-ancestors ###mydomain###

Content Security Policy: The page settings have blocked loading a resource on https://mydomain/realms/master/protocol/openid-connect/3p-cookies/step1.html ("frame-src").

Is there something i can change to disable the content-security-policy header for that host?

<!-- gh-comment-id:1535496231 --> @Tobstr02 commented on GitHub (May 4, 2023): Got this problem again here in 2023. Version v2.9.19 I tried to fix it with the 2 options above from @chaptergy, but it didn't changed anything. The new header will be sent out, but as an 2nd content-policy header. So the first one with frame-src 'self' etc. will be used from my browser: ``` HTTP/2 200 OK server: openresty date: Thu, 04 May 2023 22:33:39 GMT content-type: text/html;charset=utf-8 referrer-policy: no-referrer x-frame-options: SAMEORIGIN strict-transport-security: max-age=31536000; includeSubDomains x-robots-tag: none cache-control: no-cache x-content-type-options: nosniff content-security-policy: frame-src 'self'; frame-ancestors 'self'; object-src 'none'; x-xss-protection: 1; mode=block content-language: en x-frame-options: ALLOW-FROM ###mydomain### content-security-policy: frame-ancestors ###mydomain### ``` `Content Security Policy: The page settings have blocked loading a resource on https://mydomain/realms/master/protocol/openid-connect/3p-cookies/step1.html ("frame-src").` Is there something i can change to disable the content-security-policy header for that host?

kerem commented 2026-02-26 06:35:15 +03:00

Author

Owner

Copy link

@nickelswitte commented on GitHub (May 7, 2023):

I have exactly the same problem. The headers just duplicate and it seems like the browser just takes the other one

´´´
HTTP/2 200 OK
server: openresty
date: Sun, 07 May 2023 10:32:39 GMT
content-type: text/html
content-encoding: gzip
x-frame-options: sameorigin
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
content-security-policy: default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; manifest-src 'self'; media-src 'self' blob:; child-src 'self' blob:; frame-src 'self'; frame-ancestors 'none'
referrer-policy: same-origin
permissions-policy: interest-cohort=()
x-frame-options: ALLOW-FROM my.do.main
content-security-policy: frame-ancestors my.do.main
X-Firefox-Spdy: h2
´´´

For another of my pages this works well, but that is because it does not send those two headers itself. Not quite sure how to fix this. It is possible to append the existing headers? Some guidance would be nice :)

<!-- gh-comment-id:1537384196 --> @nickelswitte commented on GitHub (May 7, 2023): I have exactly the same problem. The headers just duplicate and it seems like the browser just takes the other one ´´´ HTTP/2 200 OK server: openresty date: Sun, 07 May 2023 10:32:39 GMT content-type: text/html content-encoding: gzip **x-frame-options: sameorigin** x-xss-protection: 1; mode=block x-content-type-options: nosniff **content-security-policy: default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:;** connect-src 'self'; manifest-src 'self'; media-src 'self' blob:; child-src 'self' blob:; frame-src 'self'; frame-ancestors 'none' referrer-policy: same-origin permissions-policy: interest-cohort=() **x-frame-options: ALLOW-FROM my.do.main** **content-security-policy: frame-ancestors my.do.main** X-Firefox-Spdy: h2 ´´´ For another of my pages this works well, but that is because it does not send those two headers itself. Not quite sure how to fix this. It is possible to append the existing headers? Some guidance would be nice :)

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#967

No description provided.