Cacti breaks out from iframe

[koga]

Hi!

I tried to load cacti in icinga tab. Other sites loaded as expected, but cacti takes over the whole browser window.
Can sy help me?
thx

(I use http basic auth both for icinga and cacti)

cacti version 0.8.8a

[ckong3309]

I had the same problem with Wordpress Advanced iFrame plugin. It's apparently a security feature of Cacti 0.8.8f (where I think 0.8.8b worked). I wondered how something like this would be possible so I went looking and found this site:

http://stackoverflow.com/questions/2896 ... -of-iframe

The key phrase in the article was "Compare top and self, if they're not identical, you are in a frame." So I grep'd for that and found it in this file:

/cacti/include/csrf/csrf-magic.php

...the code:

Code: Select all

    if ($GLOBALS['csrf']['frame-breaker']) {
        $buffer = str_ireplace('</head>', '<script type="text/javascript">if (top != self) {top.location.href = self.location.href;}</script></head>', $buffer);
    }

I made a backup of the file, then commented out the check by adding a # in front of the lines:

Code: Select all

#    if ($GLOBALS['csrf']['frame-breaker']) {
#        $buffer = str_ireplace('</head>', '<script type="text/javascript">if (top != self) {top.location.href = self.location.href;}</script></head>', $buffer);
#    }

It worked. Cacti now appears in an iFrame. The iFrame is too small but that's a different problem to solve.

Btw, this obviously breaks a probably security feature of Cacti. Make sure you have other protections in effect (like Apache web authentication) before messing with this.

[haichai]

I m config /usr/share/cacti/site/include/csrf/csrf-magic.php

change $GLOBALS['csrf']['frame-breaker'] = true; to flase

It worked

[ZBRR]

Hi, I know this tred is kinda old but i try to use iframe and in cacti /var/www/cacti/include/vendor/csrf/csrf-conf.php i set the $GLOBALS['csrf']['frame-breaker'] = true; to false and still doesn´t work on iframe, i'm missing some step?

[TheWitness]

Are you trying to display a Cacti page inside of another Web App?

[ZBRR]

It's not in another app its an html file that i create to get cacti graph page with other monitoring stuff.
I found that the problem was CSP. When i added the Header then it worked fine.

[TheWitness]

Yea, we locked that down out of the box due to a bunch of security people providing negative feedback unless it was added. It's open source, so you can always unwind it.