Embed proxmox console into an iframe

[JVisi]

Hello.
The following scenario is given:
I have a page on domain A, and this page is being served with nginx to domain B.
Proxmox is also available at domain B:8006

Embedding domain B:8006 /?console=lxc&vmid={vmid}&node={node}&resize=scale&xtermjs=1 to an iframe in domain A is the thing I'd like to achieve.

B:8006/?console.... works as expected in a browser tab, however, in an Iframe it's not sending the PVEAuthCookie and csrfPreventionToken, even though in the network tab they're there.

All in all, how could I open the console view in an Iframe, on a different domain?

 

[dcsapak]

i guess you have to set 'allow-same-origin' in the 'sandbox' property, see https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe

 

[JVisi]

i guess you have to set 'allow-same-origin' in the 'sandbox' property, see https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe

Thank you, that seems to be a step forward, however now the console just loads forever, probably because I get
Blocked script execution in '<URL>' because the document's frame is sandboxed and the 'allow-scripts' permission is not set, however adding allow-scripts gets me 401 ticket error again

 

[dcsapak]

you can give multiple values to the sandbox attribute, try both 'allow-same-origin' and 'allow-scripts'

 

[JVisi]

you can give multiple values to the sandbox attribute, try both 'allow-same-origin' and 'allow-scripts'

I know, that's what I tried, it gives me the same 401 no ticket error

 

[dcsapak]

can you post your html snippet ?

 

[JVisi]

<iframe sandbox='allow-same-origin allow-scripts'
                        src={
                            "https://ip:8006/?console=lxc&novnc=1&vmid={vmid}&vmname={vmname}&node={node}"
                            } style={{ width: "100%", height: "100%" }} frameBorder={0}></iframe>

The url is good, opening it in another tab works fine, however from an Iframe, it gives 401 no ticket, even tho the parent page has a valid pveauth cookie, and CSRFPreventionToken

 

[dcsapak]

The url is good, opening it in another tab works fine, however from an Iframe, it gives 401 no ticket, even tho the parent page has a valid pveauth cookie, and CSRFPreventionToken

ok i think there is a misunderstanding, the iframe has to have the cookie not the parent page

 

[JVisi]

ok i think there is a misunderstanding, the iframe has to have the cookie not the parent page

But I have no control over the iframe, and there's no way I could tell the Iframe to use these cookies.
Anyway I tried opening the whole page, and log in inside the iframe, but the same 401 no ticket error happened

<iframe sandbox='allow-scripts allow-same-origin' src='https://ip:8006' style={{width:"100%", height:"800px"}}></iframe>

this gave me the proxmox login window, I logged in, the cookie got set for the proxmox's domain (I checked in the dev-tools/application window) but still the error persists

 

[dcsapak]

mhmm ok after a bit of testing, it seems that using an iframe in this manner doesn't allow the embedded site to access cookies from it's origin, even when using 'allow-same-origin'
not sure how to circumvent that... (besides maybe using a reverse proxy in between that inserts a 'Access-Control-Allow-Origin' header)

 

[JVisi]

mhmm ok after a bit of testing, it seems that using an iframe in this manner doesn't allow the embedded site to access cookies from it's origin, even when using 'allow-same-origin'
not sure how to circumvent that... (besides maybe using a reverse proxy in between that inserts a 'Access-Control-Allow-Origin' header)

I see, that's too bad. Thank you for your time and effort