Ad Widget

**pc-nico** · 08-12-2017, 16:18

We use also a Frameset, at the top area Zabbix, at the buttom a newsticker and clock... since 3.4.4 zabbix sends a X-Frame Header....

you can commant out the Line 131 in /usr/share/zabbix/include/page_header.php

PHP Code:


header('X-Frame-Options: '.$x_frame_options);

but it is removed on every update, not so cool methode...

better:
you can use Addons in the Browser to ignore X-Frame Header

for Chrome use: https://chrome.google.com/webstore/d...kamfmkohkpodhe

works fine for us

**versh_va** · 10-04-2018, 09:22

But why? And how it can be unset via zabbix interface or config files?
It is not cool at all...

**glebs.ivanovskis** · 10-04-2018, 09:57

14 Upgrade notes for 3.4.4

https://www.zabbix.com/documentation/3.4/manual/installation/upgrade_notes_344#more_secure_zabbix_setup

**Miks.Kronkalns** · 10-04-2018, 10:10

For reasons please see also https://support.zabbix.com/browse/ZBX-13133.

Instead of commenting out line 131 in includes/page_header.php, it is better to change the value of X_FRAME_OPTIONS. Please take a look at section "HTTP headers" in include/defines.inc.php.

**tuxmartin** · 23-03-2020, 13:09

Changing X_FRAME_OPTIONS in /usr/share/zabbix/include/defines.inc.php does not work.

PHP Code:


// HTTP headers
/*
 * Value of HTTP X-Frame-options header.
 *
 * Supported options:
 *  - SAMEORIGIN (string) - compatible with rfc7034.
 *  - DENY (string) - compatible with rfc7034.
 *  - a list (string) of comma-separated hostnames. If hostname is not between allowed, the SAMEORIGIN option is used.
 *  - null - disable X-Frame-options header.
 */
define('X_FRAME_OPTIONS', 'SAMEORIGIN');
//define('X_FRAME_OPTIONS', 'https://zabbix.example.net, https://app.clickup.com);

You need to add two headers to nginx virtual host:

Code:

add_header X-Frame-Options "ALLOW-FROM https://zabbix.example.net https://app.clickup.com";
add_header Content-Security-Policy "frame-ancestors https://zabbix.example.net https://app.clickup.com";

Code:

martin@martin:~$ curl -IL https://zabbix.example.net
HTTP/2 200 
server: nginx/1.10.3 (Ubuntu)
date: Mon, 23 Mar 2020 11:00:16 GMT
content-type: text/html; charset=UTF-8
set-cookie: PHPSESSID=lhlrdkagsjf19ir6blg80kc1lc; secure; HttpOnly
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN          # inserted by zabbix
strict-transport-security: max-age=31557600
x-frame-options: ALLOW-FROM https://zabbix.example.net https://app.clickup.com          # inserted by nginx
content-security-policy: frame-ancestors https://zabbix.example.net https://app.clickup.com          # inserted by nginx

**patrickdenis** · 04-02-2021, 21:02

Indeed i added FALSE and still nothing...

PHP Code:


* The sandbox attribute enables an extra set of restrictions for the content in the iframe. Default is set to empty
* string, which means all restrictions are applied. To disable, set to FALSE. To set a specific set of restrictions,
* write a custom string.
* https://www.w3.org/TR/2010/WD-html5-20100624/the-iframe-element.html#attr-iframe-sandbox
*/
define('ZBX_IFRAME_SANDBOX', 'FALSE');

// HTTP headers
/*
* Value of HTTP X-Frame-options header.
*
* Supported options:
* - SAMEORIGIN (string) - compatible with rfc7034.
* - DENY (string) - compatible with rfc7034.
* - a list (string) of comma-separated hostnames. If hostname is not between allowed, the SAMEORIGIN option is used.
* - null - disable X-Frame-options header.
*/
define('X_FRAME_OPTIONS', 'SAMEORIGIN');

/**

@tuxmatin so if i understand :

add_header X-Frame-Options "ALLOW-FROM https://zabbix.example.net https://app.clickup.com";

1st address ""https://zabbix.example.net" is my host and second one "https://app.clickup.com" is the url I'm inserting in the URL widget ?

Thank you in advance

**fourstepper** · 25-02-2021, 13:51

We are also having issues embedding the Zabbix site on our company's dashboard after 5.2 upgrade from 5.0.

We run Zabbix in docker, with the web interface behind a Traefik proxy.

For security reasons, we are setting the Content-Security-Policy header to

Code:

frame-ancestors 'self' http://internaldashboard.com;

We have just learned that zabbix itself has some settings regarding iframe under General > Other, but we are having a hard time setting those up correctly.

The main issue that we have come across is that while we are able to view the iframe which loads on our company dashboard, any login fails.

The settings we have done under General > Other for now are :

X-Frame-Options HTTP header: SAMEORIGIN and Use iframe sandboxing unchecked.

Ad Widget

Cant load zabbix pages in iframe anymore

Cant load zabbix pages in iframe anymore

Comment

Comment

Comment

Comment

Comment

Comment

Comment