AllowwebGUI to work in an IFrame - PFSense 2.1

salmonbaytech · Nov 12, 2013, 6:55 PM

FYI, for anyone else that want to use the webGUI in a IFrame.

/usr/local/www/guiconfig.inc:Line 55
Comment out
Header("X-Frame-Options: SAMEORIGIN");

/usr/local/www/csrf/csrf-magic.php:Line 116
Change to false
$GLOBALS['csrf']['frame-breaker'] = false;

/usr/local/www/head.inc:Line 50
Comment out
body{display:none}

/usr/local/www/head.inc:Line 58
Comment out
top.location = self.location;

Standard disclaimer, don't do this if you aren't willing to sacrifice some security on your PFSense router!
Great job to the PFSense team, just upgraded my 2.0.1 routers to 2.1 and went pretty easy with lots of fancy configurations options!

robi · Dec 29, 2013, 3:52 PM

Thanks for this.

On v 2.0.1 and 2.0.3 it was enough to just set to false $GLOBALS['csrf']['frame-breaker'].

@devs: I think it would be better to have an option in the Misc advanced settings to disable these officially. Most people access the webgui from protected networks anyway, not through plain public internet.

jimp · Dec 30, 2013, 5:48 PM

Unlike the other security checks which are optional, this one is a bit more likely to actually happen.

It doesn't matter where you access it from, the problem is that some other random page could include the firewall in a frame and you may not realize it. It's a bit more subtle attack vector than the others.

In a perfect world nobody would browse and manage firewalls from the same browser, or even workstation, but in reality it's not quite that straightforward.

robi · Jan 1, 2014, 5:15 PM

You probably misunderstood me.

I don't say to actually remove these security features! I only think it would be useful to have an option in the advanced settings, do disable them. They should be enabled by default, but if someone wants to disable them, it would be nince not to have to modify the php code. It's only the responsibility of the admin user anyway, if he/she wants to use it like this, not pfSense team.

jimp · Jan 2, 2014, 3:35 PM

The danger of the alteration should be proportionate to the action you have to take to make it happen. :-)

Set it up as a patch in the system patches package. Easy to apply it there.

salmonbaytech · May 12, 2014, 3:59 PM

Still works with 2.1.3, head.inc line numbers are shifted down by 1.

I have used this several times since posting it to "fix" pfsense to work in a iframe. I really think this should be a checkbox, probably after "Browser HTTP_REFERER enforcement" on the System->Advanced page.

My second thought would be a php config file for security features so after updating firmware "fixing" would be easy.

salmonbaytech · Aug 22, 2015, 6:38 PM

Some many release, need to automate this. Storing in thread so I don't forget.

This should work with versions 2.1 - 2.2.4


#! /bin/bash

/etc/rc.conf_mount_rw

sed -i -e '/header("X-Frame-Options: SAMEORIGIN");/s/^/\/\//' /usr/local/www/guiconfig.inc
sed -i -e "s/\['frame-breaker'\] = true/\['frame-breaker'\] = false/g" /usr/local/www/csrf/csrf-magic.php
sed -i -e '/body{display:none}/s/^/\/\//' /usr/local/www/head.inc
sed -i -e '/top.location = self.location;/s/^/\/\//' /usr/local/www/head.inc

/etc/rc.conf_mount_ro

jimp · Oct 27, 2016, 1:48 PM

You're better off starting a new thread, a lot has changed since this thread (lighttpd switched out for nginx, for one).

From a security standpoint, allowing it to run in an iframe is an awful idea, which is why we have protection against it.