rshinycontent-security-policyshiny-servershinyproxy

Shiny-proxy in iframe - Adding CSP does not solve chrome blocking it


I have a shiny application running with shiny-proxy and I want to embed this application within another hub application.

I configured the application.yml in shiny-proxy to:

  frame-options: allow-from http://127.0.0.1:5501
  Content-Security-Policy: frame-ancestors 'self' http://127.0.0.1:5501

The allow from directive is deprecated in chrome and safari and therefore, I used it, as suggested by many StackOverflow answers, I used the Content-Security-Policy option. However, this has not resolved the issue yet.

Chrome is still blocking it:

proxy:
  default-webSocket-reconnection-mode: Auto
  same-site-cookie: None
#  stop-proxies-on-shutdown: false
#  recover-running-proxies: true
#  recover-running-proxies-from-different-config: true
  title: Open Analytics Shiny Proxy
  logo-url: https://www.openanalytics.eu/shinyproxy/logo.png
  landing-page: /
  heartbeat-rate: 10000
  heartbeat-timeout: -1
  heartbeat-enabled: false
  container-wait-time: 20000
  servlet.session.timeout: 100000
  container-log-path: /var/log/shinyproxy/container-logs
  port: 8080
  authentication: simple
  admin-groups: admin
  users:
  - name: frank
    password: password
    groups: scientists
  # Docker configuration
  #  container-backend: docker
  container-backend: docker
  docker:
    cert-path: /home/none
    url: http://127.0.0.1:2375
    port-range-start: 20000

  specs:
  - id: something
  ...
logging:
  file:
    name: /var/log/shinyproxy/shinyproxy.log
#  level:
#    root: DEBUG
server:
  frame-options: allow-from http://127.0.0.1:5501
  Content-Security-Policy: frame-ancestors 'self' http://127.0.0.1:5501
  secure-cookies: true

enter image description here


Solution

  • Making everything HTTPS solved it.