How to disable or bypass X-Frame-Options in header with iframe include of minio

[filoucrackeur]

NOTE

i have seen minio/minio#15548 but it don't respond to my case

Expected Behavior

i want to call https://localhost:9001/ in my iframe https://sandbox.local/

Current Behavior

Load of « https://localhost:9001/ » in frame is refused by « X-Frame-Options » defined with « DENY ».

Possible Solution

remove from header X-Frame-Options
or add field settings in admin UI

[harshavardhana]

@dvaldivia how did you do this for Operator UI?

[klauspost]

Ping @dvaldivia

[tounaf]

@filoucrackeur , you can use nginx as proxy for minio . Try to see this docs setup-nginx-proxy-minio

[dvaldivia]

hi @filoucrackeur we only support embedding the Object Browser at the moment via iFrame, is that what you are trying to achieve?

[filoucrackeur]

yes indeed

[baifachuan]

Execuse me, How can I embedding the Object Browser in my web page with Iframe?

I meet the same problem:

Load of « https://localhost:9001/ » in frame is refused by « X-Frame-Options » defined with « DENY ».

[allanrogerr]

We are discussing this internally.

[SergioKingOne]

I'm encountering issues with MinIO console iframe embedding too. Adding context to help debug:

Config:

minio:
  image: quay.io/minio/minio
  ports:
    - 9000:9000 # API
    - 9001:9001 # Console
  environment:
    MINIO_ROOT_USER: minioadmin
    MINIO_ROOT_PASSWORD: minioadmin
    MINIO_REGION_NAME: us-east-1
    MINIO_CORS_ALLOW_ORIGIN: "*"
    MINIO_BROWSER_REFERRER_POLICY: "no-referrer-when-downgrade"
    MINIO_BROWSER_CONTENT_SECURITY_POLICY: "default-src * 'unsafe-inline' 'unsafe-eval'; frame-ancestors * 'self' file://* http://localhost:* http://127.0.0.1:* http://0.0.0.0:*"
  volumes:
    - bioma-minio-data:/data
  command: server /data --console-address ':9001'

Current Behavior:

Login page loads fine in iframe
On login attempt: 403 Forbidden on /api/v1/session
UI becomes blank after failed login

Response Headers:

access-control-allow-origin: _
content-security-policy: default-src _ 'unsafe-inline' 'unsafe-eval'; frame-ancestors _ 'self' file://_ http://localhost:_ http://127.0.0.1:_ http://0.0.0.0:\*
referrer-policy: strict-origin-when-cross-origin
x-frame-options: ALLOWALL

I've configured NGINX but getting same behavior. Any ideas what else might be needed for session authentication to work in iframe mode? @dvaldivia you mentioned Object Browser is supported - any specific config needed for that?