github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-02-16 18:21:57 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add FAQ entry about iframing HedgeDoc

Browse source 
Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
David Mehren 2021-08-12 22:35:21 +02:00
parent 038c1b4868
commit c9388add9d
No known key found for this signature in database
GPG key ID: 185982BA4C42B7C3
1 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
docs/content/faq.md
View file

@ -34,3 +34,14 @@ header (which might be insecure) or include the URI of your HedgeDoc instance in
See [Mozillas docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) for more details.
Also note that the `X-Frame-Options` header [is being obsoleted](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors)
by the `frame-ancestors` statement in the `Content-Security-Policy` header.
## Why can I not embed a HedgeDoc note in other pages using iframes?
Allowing your HedgeDoc instance to be embedded in other pages increases the risk of [clickjacking](https://en.wikipedia.org/wiki/Clickjacking),
[XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) and other attacks.
Therefore, **we recommend to not enable** this option.
If you still want to allow embedding via iframe, ensure that:
- Your HedgeDoc instance is served via HTTPS
- `cookiePolicy` / `CMD_COOKIE_POLICY` is set to `none` (Otherwise you will get a `AUTH failed: No cookie transmitted` error.)
- `csp.allowFraming` / `CMD_CSP_ALLOW_FRAMING` is set to `true`