[PR #2417] Add allowedFramingOrigins for MeshCentral clickjacking protection #3892

New issue

Open

opened 2026-03-14 07:44:30 +03:00 by kerem · 0 comments

kerem commented

2026-03-14 07:44:30 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/amidaware/tacticalrmm/pull/2417
Author: @JonBons
Created: 2/20/2026
Status: 🔄 Open

Base: develop ← Head: feat-mesh-framing-origins

📝 Commits (1)

81f3e3e feat: add allowedFramingOrigins for MeshCentral clickjacking protection

📊 Changes

6 files changed (+35 additions, -4 deletions)

View changed files

📝 .devcontainer/docker-compose.yml (+1 -0)
📝 ansible/roles/trmm_dev/templates/mesh.cfg.j2 (+1 -1)
📝 docker/containers/tactical-meshcentral/entrypoint.sh (+7 -1)
📝 docker/docker-compose.yml (+1 -0)
📝 install.sh (+1 -1)
📝 update.sh (+24 -1)

📄 Description

Replace allowFraming with allowedFramingOrigins for default config so only the TacticalRMM frontend can embed MeshCentral in iframes, addressing potential clickjacking. (See PR for MeshCentral changes https://github.com/Ylianst/MeshCentral/pull/7599, was released in version 1.1.57 of MeshCentral)

install.sh: use allowedFramingOrigins with frontend domain
Docker: add allowedFramingOrigins from APP_HOST (empty array if unset)
Ansible mesh.cfg.j2: add allowedFramingOrigins for prod and dev (port 8080)
update.sh: migrate existing allowFraming configs to allowedFramingOrigins
- Skip when FRONTEND is empty or mesh config is missing
- Add backup and warning on migration failure

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/amidaware/tacticalrmm/pull/2417 **Author:** [@JonBons](https://github.com/JonBons) **Created:** 2/20/2026 **Status:** 🔄 Open **Base:** `develop` ← **Head:** `feat-mesh-framing-origins` --- ### 📝 Commits (1) - [`81f3e3e`](https://github.com/amidaware/tacticalrmm/commit/81f3e3eb633639bf04a6c9bbf50f355614de6d11) feat: add allowedFramingOrigins for MeshCentral clickjacking protection ### 📊 Changes **6 files changed** (+35 additions, -4 deletions) <details> <summary>View changed files</summary> 📝 `.devcontainer/docker-compose.yml` (+1 -0) 📝 `ansible/roles/trmm_dev/templates/mesh.cfg.j2` (+1 -1) 📝 `docker/containers/tactical-meshcentral/entrypoint.sh` (+7 -1) 📝 `docker/docker-compose.yml` (+1 -0) 📝 `install.sh` (+1 -1) 📝 `update.sh` (+24 -1) </details> ### 📄 Description Replace `allowFraming` with `allowedFramingOrigins` for default config so only the TacticalRMM frontend can embed MeshCentral in iframes, addressing potential clickjacking. (See PR for MeshCentral changes https://github.com/Ylianst/MeshCentral/pull/7599, was released in [version 1.1.57](https://github.com/Ylianst/MeshCentral/releases/tag/1.1.57) of MeshCentral) - install.sh: use `allowedFramingOrigins` with frontend domain - Docker: add `allowedFramingOrigins` from `APP_HOST` (empty array if unset) - Ansible mesh.cfg.j2: add `allowedFramingOrigins` for prod and dev (port 8080) - update.sh: migrate existing `allowFraming` configs to `allowedFramingOrigins` - Skip when FRONTEND is empty or mesh config is missing - Add backup and warning on migration failure --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>