Skip to content
Learn more about Mattermost for Microsoft Teams »

I suggest you ...

← General

Allow mattermost inside an iframe, in a controlled way

This pull request introduced a security measure to protect against clicjacking attacks: https://github.com/mattermost/platform/pull/253

But it also prevents some legitimate uses of iframes. For example, Nextcloud has a "external sites" function to run any app as if it was a Nextcloud app, by putting it in an iframe inside Nextcloud (https://docs.nextcloud.com/server/9/admin_manual/configuration_server/external_sites.html).

My proposal is to add some settings to allow an authorized domain, and then change X-Frame-Options, instead of DENY put ALLOW-FROM this domain. And to check the domain also in the javascript check in head.html.

This way it would allow legitimate uses, while still protecting against clickjacking attacks.

51 votes
Vote

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Andrés Moya shared this idea  ·   ·  Report…  ·  Admin →
How important is this to you?

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Malek commented  ·   ·  Report

    Hey Andrés,

    Which file did you change from DENY to ALLOW-FROM.
    I cant find head.html or even context.go.

    Thank you.

  • Jim Whitescarver commented  ·   ·  Report

    We need this to run mattermost in our portals for diglife.com across mattermost instances.

General: Integrations

Categories

Feedback and Knowledge Base

(thinking…)