Phabricator working in an iframe?

#1

Hello,

I use a custom Java application that aggregates more tools, including Phabricator and cannot find a way to disable CSP and allow integration in iframe.
Already looked into https://github.com/phacility/phabricator/blob/master/src/aphront/response/AphrontResponse.php#L169
and while it opens it takes the whole browser tab, escaping the iframe.
To be mentioned: both aggregation front application and phabricator are self-hosted (public subdomain for each).

An example:
dash.example.com - main app with 3rd party tools in iframes
usage.example.com - grafana in iframe (works)
phab.example.com - does not work even with “frame-ancestors *.example ..example.com”

Is there any workaround to allow this type of setup?

Thank you in advance.

0 Likes

#2

Is there any workaround to allow this type of setup?

No. By design, Phabricator does not work in an iframe.

You can hack around this, but you will need to remove multiple layers of protection (CSP, X-Frame-Options, explicit window.parent hoisting), and will render yourself vulnerable to clickjacking attacks in doing so. If you choose to pursue this, you’re on your own.

(You may be able to use the API to safely integrate Phabricator with other tools.)

0 Likes

closed #3
0 Likes