allow iFrame (xframe = ALLWALL)?

[cyberthom42]

I would like to display Tandoor inside a dashboard as an iframe. How can I allow iframe integration? There is a Django option called xframe. I already tried the following environment setting:
DJANGO_X_FRAME_OPTIONS: 'ALLOWALL'
But this does not help

[vabene1111]

Currently not, might be something for the future

[floetenmaul]

Would be great to have this. Would allow Tandoor to be used directly in Home Assistant dashboard.

[koenieee]

Yes same, why is it not supported?

[smilerz]

it adds all sorts of security problems

[Clancy508]

For anyone looking to do this, a somewhat hacky but effective way is to manually add the config to the server you're running. For instance, if using the docker compose "plain" setup with Nginx you can manually add
add_header Content-Security-Policy "frame-ancestors domain.com";
to the Recipes.conf file inside the tandooor_nginx_config volume (replace domain.com with the domain your dashboard is running on - this is more secure than allowing all domains).

(Easiest way to edit a volume is to fire up a one-shot container, something like this:
docker run --rm -it -v tandoor_nginx_config:/nginx bash to fire up the Docker bash container and mount the Nginx config under /nginx, the config file will be under /nginx/Recipes.conf assuming your volume names are the same as mine)

[Nisbo]

I also want to display tandoor in an iframe in Home Assistant (tandoor is installed on a different machine), I don't care about security because its local.

The 1st thing I did was adding this to my Nginx Proxy Manager (reverse Proxy)

proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;

add_header Content-Security-Policy "frame-ancestors 'self' http://192.168.178.52:8123" always;

So far I can see the login screen but I am not able to login because CSRF issue

I have tandoor running in portainer with this stack

version: "3.8" # Docker Compose file format version

# Service definitions for the big-bear-tandoor application
services:
  # Service name: big-bear-tandoor
  # The `big-bear-tandoor` service definition
  big-bear-tandoor:
    # Name of the container
    container_name: big-bear-tandoor

    # Image to be used for the container
    image: ghcr.io/tandoorrecipes/recipes:2.2.0

    # Container restart policy
    restart: unless-stopped

    # Volumes to be mounted to the container
    volumes:
      - big_bear_tandoor_staticfiles:/opt/recipes/staticfiles
      - big_bear_tandoor_mediafiles:/opt/recipes/mediafiles

    # Ports mapping between host and container
    ports:
      # Mapping port 8080 of the host to port 8080 of the container
      - "8888:8080"

    # Environment variables to be passed to the container
    environment:
      - SECRET_KEY=EDIT
      - DB_ENGINE=django.db.backends.postgresql
      - POSTGRES_HOST=big-bear-tandoor-db
      - POSTGRES_PORT=5432
      - POSTGRES_USER=tandoor
      - POSTGRES_PASSWORD=EDIT
      - POSTGRES_DB=tandoordb
      - MEDIA_ROOT=/opt/recipes/mediafiles
      - MEDIA_URL=/media/
      - DEBUG=1
      - CSRF_TRUSTED_ORIGINS=http://192.168.178.52,http://192.168.178.133

    # Network to be used by the container
    networks:
      - big_bear_tandoor_network

    # Healthcheck configuration for the container
    depends_on:
      big-bear-tandoor-db:
        condition: service_healthy

  big-bear-tandoor-db:
    image: postgres:15-alpine
    container_name: big-bear-tandoor-db
    volumes:
      - big_bear_tandoor_postgresql_data:/var/lib/postgresql/data
    environment:
      - POSTGRES_PORT=5432
      - POSTGRES_USER=tandoor
      - POSTGRES_PASSWORD=EDIT
      - POSTGRES_DB=tandoordb
    restart: unless-stopped
    networks:
      - big_bear_tandoor_network
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U tandoor -d tandoordb"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s

# Network definitions for the big-bear-tandoor application
networks:
  big_bear_tandoor_network:
    driver: bridge

# Volume definitions for the big-bear-tandoor application
volumes:
  big_bear_tandoor_staticfiles:
    driver: local
  big_bear_tandoor_mediafiles:
    driver: local
  big_bear_tandoor_postgresql_data:
    driver: local

Tandoor is running under: http://192.168.178.133:8888
Home Assistant is running under http://192.168.178.52:8123

I tried to add CSRF_TRUSTED_ORIGINS
https://docs.tandoor.dev/system/configuration/#csrf-trusted-origins

CSRF_TRUSTED_ORIGINS=http://192.168.178.52,http://192.168.178.133

but this doesnt work