Gitpod: [theia] Browser Widget isn't loading examples
for instance, the django example is failing to be shown in the preview browser to the side:
and in the referer-policy for the relevant resources seems to be different in comparison to PROD.
AlexTugarev
All 3 comments
The X-Frame-Options is sent to sameorigin. That header should be filtered by the proxy but is not.
svenefftinge
on 23 Nov 2020
The X-Frame-Options is sent to sameorigin. That header should be filtered by the proxy but is not.
We deploy
staging- and in the near futureprod- withws-proxy. In this casenginxforwards workspace-specific traffic via these lines (not the ones linked above). If we wanted to (re-)add the filter it's worth thinking about whether w want to add it tows-proxyinstead. If that's helpful we have to think through all deployment scenarios.I don't recall atm, but there were multiple factors that would allow/deny access
iframes. I'm not 100% sure thatX-Frame-Optionsis the reason in this case: @AlexTugarev can you check whether the header is actually sent (scrolling down in the first screenshot?)
geropl
on 23 Nov 2020
Yes, the X-Frame-Options header is the reason. And since we filtered it out in the past (in prod) we will break some use cases if we don't continue doing that. Some dev servers (e.g. django example) send this header by default because they want to be "secure by default". I think we should keep filtering that.
svenefftinge
on 23 Nov 2020
Related issues
akosyakov
路
3Comments
Kreyren
路
3Comments
LinqLover
路
3Comments
tekumara
路
3Comments
Kreyren
路
3Comments
Most helpful comment
Yes, the
X-Frame-Optionsheader is the reason. And since we filtered it out in the past (in prod) we will break some use cases if we don't continue doing that. Some dev servers (e.g. django example) send this header by default because they want to be "secure by default". I think we should keep filtering that.