github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-07 11:28:35 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[PR #23959] [CLOSED] fix(iframe-embedding): auto SameSite=None + Secure cookies #43086

New Issue
Closed
opened 2026-04-25 14:47:04 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-25 14:47:04 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/23959
Author: @pet84
Created: 4/21/2026
Status: Closed

Base: mainHead: fix/iframe-embedding-auto-samesite

📝 Commits (10+)

  • 87bf44e Add Railway configuration
  • 7e5ca21 Fix: Remove startCommand, use Dockerfile CMD
  • d274dd5 Add automatic model icons based on model name/ID
  • b44ed56 Update application logos and favicons
  • c7eed79 Merge tag 'v0.7.2'
  • 499d879 Center and enlarge login page logo
  • a703fa9 Update Czech translations: ArchEnergy branding and thread reply translation
  • 2482cca Update favicon and logo icons
  • fdf4232 Update favicon.svg
  • 59bf575 Rename 'Modely' to 'Agenty' and 'PracovnĂ­ prostor' to 'Tvorba AgentĹŻ' in Czech translation

📊 Changes

68 files changed (+20484 additions, -114 deletions)

View changed files

📝 .env.example (+13 -1)
.github/workflows/railway-nightly-redeploy.yml (+59 -0)
📝 .gitignore (+8 -0)
📝 CHANGELOG.md (+21 -0)
📝 backend/open_webui/config.py (+13 -0)
📝 backend/open_webui/env.py (+12 -5)
📝 backend/open_webui/main.py (+70 -0)
📝 backend/open_webui/migrations/versions/b7c8d9e0f1a2_add_last_read_at_to_chat.py (+15 -4)
📝 backend/open_webui/routers/models.py (+56 -0)
📝 backend/open_webui/utils/security_headers.py (+96 -1)
📝 backend/requirements.txt (+1 -1)
docs/cs/FU-JIE_PLUGINS.md (+160 -0)
docs/cs/GRAF_PLUGINS_COMPARISON.md (+127 -0)
docs/cs/adaptive_memory.md (+90 -0)
docs/cs/airis_image_pipeline.md (+217 -0)
docs/cs/airis_image_pipeline.py (+186 -0)
docs/cs/chartjs.md (+54 -0)
docs/cs/deep_dive.md (+884 -0)
docs/cs/document_generator.md (+359 -0)
docs/cs/export_to_excel.md (+1347 -0)

...and 48 more files

📄 Description

Problem

ENABLE_IFRAME_EMBEDDING=true (added in previous commit) correctly removes X-Frame-Options and relaxes CSP frame-ancestors, so the browser will render the WebUI inside a cross-origin iframe (e.g. Chrome extension sidepanel at chrome-extension://... framing https://chat3.archenergy.cz).

But the Svelte app immediately calls getSessionUser() via fetch(..., { credentials: 'include' }). Auth + session cookies default to SameSite=Lax, which the browser refuses to send inside a third-party iframe. Result: UI loads → session check returns empty → user is stuck on splash/login screen.

This is exactly the symptom reported in a Chrome extension integration: „vidím jen ikonku a login, nic víc".

Fix

When ENABLE_IFRAME_EMBEDDING=true, change the default for:

  • WEBUI_SESSION_COOKIE_SAME_SITE: laxnone
  • WEBUI_SESSION_COOKIE_SECURE: falsetrue
  • (Auth cookie inherits from session defaults.)

Explicit env-var overrides still win. Without the flag, nothing changes.

Requirements

  • Deployment must be HTTPS. SameSite=None cookies without Secure are rejected by all modern browsers — standard for any reverse-proxied setup.
  • Reverse proxies (nginx/Cloudflare/Railway edge) can still add their own X-Frame-Options or strip Set-Cookie attributes. Configure them separately if needed.

Test plan

  • Start the app without any env vars → same as before (SameSite=Lax, Secure=false, app loads standalone).
  • Start with ENABLE_IFRAME_EMBEDDING=trueSet-Cookie response headers show SameSite=None; Secure.
  • Embed the deployed (HTTPS) app in a cross-origin iframe → login persists across reloads.
  • Override WEBUI_SESSION_COOKIE_SAME_SITE=strict with flag on → explicit override wins (value is strict).

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/23959 **Author:** [@pet84](https://github.com/pet84) **Created:** 4/21/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix/iframe-embedding-auto-samesite` --- ### 📝 Commits (10+) - [`87bf44e`](https://github.com/open-webui/open-webui/commit/87bf44ece6e9938d3b692521e0dffa3f0fcc80ba) Add Railway configuration - [`7e5ca21`](https://github.com/open-webui/open-webui/commit/7e5ca212d99816288e5c68c58f35bdada876f74a) Fix: Remove startCommand, use Dockerfile CMD - [`d274dd5`](https://github.com/open-webui/open-webui/commit/d274dd5ff160ad64c0d215d41300333f36449195) Add automatic model icons based on model name/ID - [`b44ed56`](https://github.com/open-webui/open-webui/commit/b44ed56ea4ec9aa203d07ea92b75b8a981115c09) Update application logos and favicons - [`c7eed79`](https://github.com/open-webui/open-webui/commit/c7eed79c002a0e72744940c1e1b69eb6c37c3b6d) Merge tag 'v0.7.2' - [`499d879`](https://github.com/open-webui/open-webui/commit/499d879ecadca89d7a00971cba6a15f6879c0f39) Center and enlarge login page logo - [`a703fa9`](https://github.com/open-webui/open-webui/commit/a703fa98fb8e21f2cd3f52f0ab4dae0960d7c683) Update Czech translations: ArchEnergy branding and thread reply translation - [`2482cca`](https://github.com/open-webui/open-webui/commit/2482cca1dfa829cc5aeac12ca201cf49fdd6c4e5) Update favicon and logo icons - [`fdf4232`](https://github.com/open-webui/open-webui/commit/fdf42321bd901289371c3994308a3f2ab0442581) Update favicon.svg - [`59bf575`](https://github.com/open-webui/open-webui/commit/59bf575b3615b1da44ee9cbb35b81b4072ae0e72) Rename 'Modely' to 'Agenty' and 'PracovnĂ­ prostor' to 'Tvorba AgentĹŻ' in Czech translation ### 📊 Changes **68 files changed** (+20484 additions, -114 deletions) <details> <summary>View changed files</summary> 📝 `.env.example` (+13 -1) ➕ `.github/workflows/railway-nightly-redeploy.yml` (+59 -0) 📝 `.gitignore` (+8 -0) 📝 `CHANGELOG.md` (+21 -0) 📝 `backend/open_webui/config.py` (+13 -0) 📝 `backend/open_webui/env.py` (+12 -5) 📝 `backend/open_webui/main.py` (+70 -0) 📝 `backend/open_webui/migrations/versions/b7c8d9e0f1a2_add_last_read_at_to_chat.py` (+15 -4) 📝 `backend/open_webui/routers/models.py` (+56 -0) 📝 `backend/open_webui/utils/security_headers.py` (+96 -1) 📝 `backend/requirements.txt` (+1 -1) ➕ `docs/cs/FU-JIE_PLUGINS.md` (+160 -0) ➕ `docs/cs/GRAF_PLUGINS_COMPARISON.md` (+127 -0) ➕ `docs/cs/adaptive_memory.md` (+90 -0) ➕ `docs/cs/airis_image_pipeline.md` (+217 -0) ➕ `docs/cs/airis_image_pipeline.py` (+186 -0) ➕ `docs/cs/chartjs.md` (+54 -0) ➕ `docs/cs/deep_dive.md` (+884 -0) ➕ `docs/cs/document_generator.md` (+359 -0) ➕ `docs/cs/export_to_excel.md` (+1347 -0) _...and 48 more files_ </details> ### 📄 Description ## Problem `ENABLE_IFRAME_EMBEDDING=true` (added in previous commit) correctly removes `X-Frame-Options` and relaxes CSP `frame-ancestors`, so the browser **will render** the WebUI inside a cross-origin iframe (e.g. Chrome extension sidepanel at `chrome-extension://...` framing `https://chat3.archenergy.cz`). **But** the Svelte app immediately calls `getSessionUser()` via `fetch(..., { credentials: 'include' })`. Auth + session cookies default to `SameSite=Lax`, which the browser refuses to send inside a third-party iframe. Result: UI loads → session check returns empty → user is stuck on splash/login screen. This is exactly the symptom reported in a Chrome extension integration: „vidím jen ikonku a login, nic víc". ## Fix When `ENABLE_IFRAME_EMBEDDING=true`, change the **default** for: - `WEBUI_SESSION_COOKIE_SAME_SITE`: `lax` → `none` - `WEBUI_SESSION_COOKIE_SECURE`: `false` → `true` - (Auth cookie inherits from session defaults.) Explicit env-var overrides still win. Without the flag, nothing changes. ## Requirements - Deployment must be HTTPS. `SameSite=None` cookies without `Secure` are rejected by all modern browsers — standard for any reverse-proxied setup. - Reverse proxies (nginx/Cloudflare/Railway edge) can still add their own `X-Frame-Options` or strip `Set-Cookie` attributes. Configure them separately if needed. ## Test plan - [ ] Start the app without any env vars → same as before (`SameSite=Lax`, `Secure=false`, app loads standalone). - [ ] Start with `ENABLE_IFRAME_EMBEDDING=true` → `Set-Cookie` response headers show `SameSite=None; Secure`. - [ ] Embed the deployed (HTTPS) app in a cross-origin iframe → login persists across reloads. - [ ] Override `WEBUI_SESSION_COOKIE_SAME_SITE=strict` with flag on → explicit override wins (value is `strict`). --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-25 14:47:05 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#43086
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?