You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by Mauricio Silveira <ma...@livreti.com.br> on 2022/03/07 19:41:10 UTC

guacamole 1.4.0 + nginx X-Frame-Options DENY Browser refresh ( F5 ) issue

Hi.


I've done extensive tests, trying to figure out why a browser refresh 
(hitting F5) was causing a RDP session to turn into a black screen ( not 
sure about other connection types ), but Ctrl+Alt+Shift still works - 
using nginx + guacamole 1.4.0. Apache proxying was working fine.


After trying different distros, versions and package versions, I found 
this thread: 
https://lists.apache.org/thread/prl1yzwfgfyvn2qn6qqsc6ytdgmn8yl6 , and 
gave the change of X-Frame-Options from DENY to SAMEORIGIN a shot. 
Immediate fix.


Haven't given it a deeper look to confirm, just tried with guacamole 
1.3.0 and it works fine even with X-Frame-Options DENY .


I found this possible problem, because I was testing full-screen by 
pressing F11, then F5 to reload guacamole session with the new window 
size in full screen.


This might be a bug, maybe not, just writing it down to help others 
dealing with this possible issue.


Thanks,

Mauricio Silveira


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: guacamole 1.4.0 + nginx X-Frame-Options DENY Browser refresh ( F5 ) issue

Posted by Mauricio Silveira <ma...@livreti.com.br>.

Hey Mike, thanks for the quick response. ( Sorry for the e-mail sent 
direct to you, long time since last time i sent mails to a Mailing List)


It's not just about key-press/events.

If I open a guacamole RDP session, click the URL/address bar, and press 
enter, it is just the same behaviour as pressing F5 key. Clicking the 
address refresh button : same behaviour.


PS: I had to close all incognito windows, then reopen after editing 
nginx config and restarting nginx to perform tests.


Steps:

1.) Login, enter any RDP Connection, copy Connection URL, logoff guacamole

( prferably enter private/incognito mode )

2.) Paste Connection URL, enter credentials, wait for logon

3.) Click the address bar and simply press enter.

Result: Black, screen

4.) press Ctrl+Alt+Shift for user menu

5.) Now click username, disconnect

Result: It doesn't disconnect / whatever happens here.

6.) Repeat steps 4 and 5, same results.

7.) Now click logoff, it works, gets logged off from guacamole.



Quick Update:

a) Repeat steps 1-4 above

b) Now click settings

c) Click at the tiling connection at bottom right

It goes back into the Connection.


I'm just presenting a strange behaviour ( not happening in 1.3.0 ).


Thanks,

Mauricio Silveira


On 3/7/22 16:54, Mike Jumper wrote:
> On Mon, Mar 7, 2022 at 11:41 AM Mauricio Silveira 
> <ma...@livreti.com.br> wrote:
>
>     Hi.
>
>     I've done extensive tests, trying to figure out why a browser refresh
>     (hitting F5) was causing a RDP session to turn into a black screen
>     ( not
>     sure about other connection types ), but Ctrl+Alt+Shift still works -
>     using nginx + guacamole 1.4.0. Apache proxying was working fine.
>
>     After trying different distros, versions and package versions, I
>     found
>     this thread:
>     https://lists.apache.org/thread/prl1yzwfgfyvn2qn6qqsc6ytdgmn8yl6 ,
>     and
>     gave the change of X-Frame-Options from DENY to SAMEORIGIN a shot.
>     Immediate fix.
>
>     Haven't given it a deeper look to confirm, just tried with guacamole
>     1.3.0 and it works fine even with X-Frame-Options DENY .
>
>     I found this possible problem, because I was testing full-screen by
>     pressing F11, then F5 to reload guacamole session with the new window
>     size in full screen.
>
>     This might be a bug, maybe not, just writing it down to help others
>     dealing with this possible issue.
>
>
> No, this is not a bug. Guacamole already does everything it can to 
> handle all keyboard interaction. It cannot control whether the 
> browser, OS, etc. take control of certain keys or shortcuts. It can 
> only request that the browser send it everything, and hope that 
> the browser will do so.
>
> https://guacamole.apache.org/faq/#keyboard-shortcuts
>
> - Mike

Re: guacamole 1.4.0 + nginx X-Frame-Options DENY Browser refresh ( F5 ) issue

Posted by Mike Jumper <mj...@apache.org>.

On Mon, Mar 7, 2022 at 11:41 AM Mauricio Silveira <ma...@livreti.com.br>
wrote:

> Hi.
>
> I've done extensive tests, trying to figure out why a browser refresh
> (hitting F5) was causing a RDP session to turn into a black screen ( not
> sure about other connection types ), but Ctrl+Alt+Shift still works -
> using nginx + guacamole 1.4.0. Apache proxying was working fine.
>
> After trying different distros, versions and package versions, I found
> this thread:
> https://lists.apache.org/thread/prl1yzwfgfyvn2qn6qqsc6ytdgmn8yl6 , and
> gave the change of X-Frame-Options from DENY to SAMEORIGIN a shot.
> Immediate fix.
>
> Haven't given it a deeper look to confirm, just tried with guacamole
> 1.3.0 and it works fine even with X-Frame-Options DENY .
>
> I found this possible problem, because I was testing full-screen by
> pressing F11, then F5 to reload guacamole session with the new window
> size in full screen.
>
> This might be a bug, maybe not, just writing it down to help others
> dealing with this possible issue.
>

No, this is not a bug. Guacamole already does everything it can to handle
all keyboard interaction. It cannot control whether the browser, OS, etc.
take control of certain keys or shortcuts. It can only request that the
browser send it everything, and hope that the browser will do so.

https://guacamole.apache.org/faq/#keyboard-shortcuts

- Mike

Re: guacamole 1.4.0 + nginx X-Frame-Options DENY Browser refresh ( F5 ) issue

Posted by "Antoine G." <gu...@placi.de>.

On 08/03/2022 23:55, Mike Jumper - mjumper@apache.org wrote:
> Can you see in browser dev tools the specific request that is blocked 
> unless "SAMEORIGIN" is set?

Yes, of course.

Firefox states:
The loading of 
“https://guacamole.example.org/app/element/templates/blank.html” in a 
frame is denied by “X-Frame-Options“ directive set to “DENY“.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: guacamole 1.4.0 + nginx X-Frame-Options DENY Browser refresh ( F5 ) issue

Posted by Mike Jumper <mj...@apache.org>.

On Tue, Mar 8, 2022 at 9:31 AM Toine <gu...@placi.de> wrote:

> ...
> Previous behavior, before (with Guacamole-client 1.3):
> I click on that link and I'm immediately connected to my remote host.
>
> Current behavior, after (with Guacamole-client 1.4):
> I click on that link and visually, all I get is a black screen in my
> browser.
> If I refresh in my browser, it's not better.
> If I edit the URL to remove the tokens, and validate that URL in the
> address bar, then it works.
>
> Again, if I set X-Frame-Options to SAMEORIGIN, the above issue disappears.
>

Can you see in browser dev tools the specific request that is blocked
unless "SAMEORIGIN" is set?

As far as frames are concerned, Guacamole uses an iframe to initiate
downloads of files and an object to receive local resize events, but this
has been the case long before 1.4.0. It's not immediately clear why
anything would behave differently in 1.4.0 vs 1.3.0 solely due to
"X-Frame-Options".

- Mike

Re: guacamole 1.4.0 + nginx X-Frame-Options DENY Browser refresh ( F5 ) issue

Posted by Toine <gu...@placi.de>.

Le 07/03/2022 à 20:41, Mauricio Silveira - mauricio@livreti.com.br a écrit :
> Haven't given it a deeper look to confirm, just tried with guacamole 
> 1.3.0 and it works fine even with X-Frame-Options DENY .

I suffered from the same behavior the past week, with the same diagnose 
after extensive rollback & upgrades and ended up with same "fix".
If confirmed, I think this kind of change could be notified in the 1.4.0 
release notes.

I have this (or a related) also in another situation that pressing F5: 
simply browsing to a connection.

Context:
My scripts get me an authentication token (thanks to 
guacamole-auth-json) that I use to build a URL that gives me direct 
access to a remote host via RDP.

ex: 
https://guacamole.example.org/#/client/bXlfbGl0dGxlX3JkcF9jb25uZWN0aW9uAGMAanNvbg==?token=599D729CDBE37A13F3EE4845A009E26C5F528546F7501300E8E3E94904E00741

	
Previous behavior, before (with Guacamole-client 1.3):
I click on that link and I'm immediately connected to my remote host.

Current behavior, after (with Guacamole-client 1.4):
I click on that link and visually, all I get is a black screen in my 
browser.
If I refresh in my browser, it's not better.
If I edit the URL to remove the tokens, and validate that URL in the 
address bar, then it works.

Again, if I set X-Frame-Options to SAMEORIGIN, the above issue disappears.

Toine

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org