Embed webmailer into another website

[jonasesser]

Hi all,

can you help me to embedd the webmailer into another website.
Currently I got the following error:

chromewebdata/:1
Refused to display 'https://mail.****.de/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.

I think its related to Cross-Origin Resource Sharing (CORS).

Can you give me an hint to add the embeding site domain to cors allow list?

Best regards,
Jonas

[jonasesser]

currently returned Referrer Policy: strict-origin-when-cross-origin

[jonasesser]

Maybe in /srv/modoboa/instance/instance/settings.py under line # Security Settings:
Change line X_FRAME_OPTIONS = "SAMEORIGIN" to what ever you need?

[jonasesser]

No this will not work. Need to change the nginx configuration. Any hints where to find it?

[jonasesser]

I found it under /etc/nginx/sites-available... lets see...

[jonasesser]

also not working... can't change Referrer Policy and also not X-Frame-Options. Please help!

[jonasesser]

so the correct config file is /etc/nginx/sites-enabled/mail.mydomain.de.conf

But
add_header 'X-Frame-Option' 'ALLOW-FROM domain.com'
did not work. Because somewhere else already the header set to "sameorigin". So it will be conflicted.

Currently my solution is to use the newer header 'Content-Security-Policy' (only works in modern browsers):

Here my solution (DO NOT USE IN PRODUCTION)

add_header 'Referrer-Policy' 'unsafe-url';
add_header 'Content-Security-Policy' 'frame-ancestors domain.com http://localhost:8080';

[jonasesser]

It's working for the start page. But the /login still not working:

Refused to display 'https://mail.mydomain.de/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.