Phoenix Liveview - Websocket connect_info 阻止 iframe 内容
[英]Phoenix Liveview - Websocket connect_info blocking iframe content
问题描述
I'm actually working on a phoenix app which I require to render in some websites embeded on an iframe, I finished coding the logic but I found that it was only working on Firefox, when using it on Chome or Opera, it end on an infinite loop recharging trying to render the content, throwing the following warning:
我实际上正在开发一个凤凰应用程序,我需要在嵌入在 iframe 上的一些网站中进行渲染,我完成了逻辑编码,但我发现它只适用于 Firefox,当在 Chome 或 Opera 上使用它时,它以无限循环充电尝试渲染内容,抛出以下警告:
I was trying to allow this with the extra option like this with no success.我试图通过像这样的额外选项来允许这一点,但没有成功。
@session_options [
store: :cookie,
key: "_analytics_key",
signing_salt: "BM3P8GYS",
extra: "SameSite=None;",
]
and then I found that on the last version of the Endpoint it had an specific option for this cookie called same_site, so I tried like this but I got the same results:然后我发现在 Endpoint 的最后一个版本中,它有一个名为 same_site 的 cookie 的特定选项,所以我尝试了这样,但得到了相同的结果:
@session_options [
store: :cookie,
key: "_analytics_key",
signing_salt: "BM3P8GYS",
same_site: "None",
#extra: "SameSite=None;",
secure: true
]
and everytime it fails rendering I got this logs on my console:每次渲染失败时,我都会在控制台上收到以下日志:
Anything seemed to work, but I found that removing the connect_info from the websocket on the endpoint automatically solved the issue, just like this:一切似乎都有效,但我发现从端点上的 websocket 中删除 connect_info 自动解决了这个问题,就像这样:
# socket "/live", Phoenix.LiveView.Socket, websocket: [connect_info: [session: @session_options]]
socket "/live", Phoenix.LiveView.Socket, websocket: []
But this will affect things like guardian and I guess a few security things, so I was looking for a way to remove this ONLY when trying to render the page on the iframe, I was thinking on a plug to do this but I don't know if this is possible for this specific part, maybe anyone know about something I could do here to accomplish what I want?但这会影响监护人之类的东西,我猜是一些安全问题,所以我一直在寻找一种方法来删除它,仅在尝试在 iframe 上呈现页面时,我正在考虑使用插件来执行此操作,但我没有知道这对于这个特定部分是否可行,也许有人知道我可以在这里做些什么来完成我想要的事情? Thanks in advance!提前致谢!
1 个解决方案
解决方案1
0 2020-12-20 12:26:17
You need to configure csp headers when embedding in another page/site.嵌入到另一个页面/站点时,您需要配置 csp 标头。 An leave connect_info like it is default.离开 connect_info 就像它是默认的。
defmodule UtasksWeb.Plugs.Csp do
import Plug.Conn
import Phoenix.Controller
def init(opts), do: opts
def call(conn, _opts) do
put_resp_header conn, "content-security-policy", csp(conn)
end
defp csp(conn) do
"default-src 'self' *.googleapis.com *.gstatic.com; \
connect-src 'self' #{ws_url conn} #{ws_url conn, "wss"}; \
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://statics.teams.cdn.office.net; \
style-src 'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com *.gstatic.com; \
frame-ancestors teams.microsoft.com *.teams.microsoft.com *.skype.com"
end
defp ws_url(conn, protocol \\ "ws") do
endpoint = Phoenix.Controller.endpoint_module(conn)
%{endpoint.struct_url | scheme: protocol} |> URI.to_string()
end
end
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.