Invalid Token if run in IFrame

[sonnyka]

Describe the bug
When run in an iframe (in my case in organizr) snappymail refuses to login. The error shown is "invalid token".
Login w/o an iframe works.

To Reproduce
Steps to reproduce the behavior:

1. Go to my organizr website which shows snappymail in an iframe
2. Try to login
3. Invalid Token error occurs

Please complete the following information:

• Browser: Firefox 105.0.1 / Edge 105.0.1343.53
• PHP version: 7.4
• SnappyMail Version: 2.18.2

Debug/logging information
(I substituted my domain name with [mydomain.tld] for security reasons)
[Fri Sep 30 11:46:22.274836 2022] [php7:notice] [pid 117628] [client 2a02:8071:XXX:71a6:ee5b:56771] TOKENS DEBUG: New SESSION_TOKEN
[Fri Sep 30 11:46:22.328075 2022] [php7:notice] [pid 117628] [client 2a02:8071:XXX:71a6:ee5b:56771] SERVICE WARNING: InvalidToken[101]\r\n#0 /var/www/[mydomain.tld]/snappymail/snappymail/v/2.18.2/app/libraries/RainLoop/Actions/UserAuth.php(195): RainLoop\Actions->getMainAccountFromToken()\n#1 /var/www/[mydomain.tld]/snappymail/snappymail/v/2.18.2/app/libraries/RainLoop/Actions.php(1238): RainLoop\Actions->getAccountFromToken()\n#2 /var/www/[mydomain.tld]/snappymail/snappymail/v/2.18.2/app/libraries/RainLoop/Actions/Folders.php(55): RainLoop\Actions->initMailClientConnection()\n#3 /var/www/[mydomain.tld]/snappymail/snappymail/v/2.18.2/app/libraries/RainLoop/ServiceActions.php(155): RainLoop\Actions->DoFolders()\n#4 /var/www/[mydomain.tld]/snappymail/snappymail/v/2.18.2/app/libraries/RainLoop/Service.php(133): RainLoop\ServiceActions->ServiceJson()\n#5 /var/www/[mydomain.tld]/snappymail/snappymail/v/2.18.2/app/libraries/RainLoop/Service.php(15): RainLoop\Service::RunResult()\n#6 /var/www/[mydomain.tld]/snappymail/snappymail/v/2.18.2/include.php(169): RainLoop\Service::Handle()\n#7 /var/www/[mydomain.tld]/snappymail/index.php(11): include('/var/www/...')\n#8 {main}

Additional context
-- Snippet from application.ini --
[security]
; Enable CSRF protection (http://en.wikipedia.org/wiki/Cross-site_request_forgery)
csrf_protection = On
custom_server_signature = "SnappyMail"
x_frame_options_header = "ancestors 'self' https://*.[mydomain.tld]"
x_xss_protection_header = "1; mode=block"
openpgp = Off

Does not matter if I set csrf_protection = Off

[the-djmaze]

https://snappymail.eu/tests/iframe.html works

Problem might be application.ini

x_frame_options_header = "SAMEORIGIN"

[sonnyka]

Thank you for your quick response, highly appreciated! :-)

I tried

x_frame_options_header = "deny" --> page does not load as intended
x_frame_options_header = "SAMEORIGIN" --> page does not load as it is on another domain (organizr: organizr.domain1.tld; snappymail: webmail.domain2.tld)

Also:

csrf_protection = Off --> does not change anything

I might add that Snappymail has been working with the settings shown in the ticket until maybe v2.17 or so (not 100% sure). Since then it stopped working.

I am a bit suspicious about the cookie: the login page loads successfully, leading me to think the CSRF settings are ok; however logging in does not work showing the Invalid Token error.

I am trying some more things over here, too, maybe I find something useful.

[the-djmaze]

Hmmm sounds more like cookie issues.
Did you try clearing all cookies in your browser?

Or do you have a second (never used) browser and use its incognito window?

[sonnyka]

Yep, working on a new incognito tab on Firefox.
For being total paranoid I also restart apache2 just to make sure (although I tend to think this 100% unnecessary).

Edit: Just to triple-check: Same thing on new incognito tab on Edge.

[the-djmaze]

Edit: Just to triple-check: Same thing on new incognito tab on Edge.

Sorry, i don't have Windows OS anywhere, so i can't check Edge
Does Edge have a debug console where you can check the http requests to see any issues with the cookies?

[sonnyka]

Hating Edge too, just used it to triple-check. I use Firefox. :-)

Thank you for pointing me to the console - should have thought for that for myself ...

Invalid X-Frame-Options header was found when loading “https://www.mydomain.tld/snappymail/”: “ancestors 'self' https://*.mydomain.tld” is not a valid directive.

mydomain.tld edited for anonymity.

Ok, I am stuck here as I am not so familiar with CSRF: If
“X-Frame-Options: "ancestors 'self' https://*.mydomain.tld”
is not valid as https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options suggests AND
X-Frame-Options: SAMEORIGIN
will not work either as snappymail and organizr are on different domains ... what do I have to put there?

I am very grateful for a hint or link so I can educate myself...

[the-djmaze]

I've just simplified the code with the release of v2.18.3 as X-Frame-Options is obsolete by CSP anyway.

So, to get what you want, you need to set the CSP in application.ini
try:

content_security_policy = "frame-src ancestors 'self' https://*.mydomain.tld"

else try

content_security_policy = "base-uri 'self'; default-src 'self'; script-src 'self' 'unsafe-eval'; img-src 'self' data: https: http:; style-src 'self' 'unsafe-inline'; frame-src ancestors 'self' https://*.mydomain.tld"

[sonnyka]

Thank you for the new release and your explanations/examples.

I installed v.2.18.3 on my server. However, the error persists as described in my first post.

Snippet of application.ini

[security]
; Enable CSRF protection (http://en.wikipedia.org/wiki/Cross-site_request_forgery)
csrf_protection = On
custom_server_signature = "SnappyMail"
x_frame_options_header = "DENY"
x_xss_protection_header = "1; mode=block"
openpgp = Off

; Access settings
content_security_policy = "frame-src ancestors 'self' https://*.mydomain1.tld https://*.mydomain2.tld"
;content_security_policy = "base-uri 'self'; default-src 'self'; script-src 'self' 'unsafe-eval'; img-src 'self' data: https: http:; style-src 'self' 'unsafe-inline'; frame-src ancestors 'self' https://*.mydomain1.tld https://*.mydomain2.tld"
csp_report = Off
encrypt_cipher = "aes-256-cbc-hmac-sha1"

in_iframe = On

I tried both content_security_policy variations.

Firefox Inspector Console reads

Partitioned cookie or storage access was provided to “https://www.mydomain1.tld/snappymail/” because it is loaded in the third-party context and dynamic state partitioning is enabled
  Cookie “smtoken” has been rejected because it is in a cross-site context and its “SameSite” is “Lax” or “Strict”.

I only see warnings in the Firefox Console, no errors.

Apache2 log reads

[Fri Sep 30 15:05:12.152220 2022] [php7:notice] [pid 129664] [client 2a02:8071:XXX:ee5b:62925] SERVICE WARNING: InvalidToken[101]\r\n#0 /var/www/mydomain1.tld/snappymail/snappymail/v/2.18.3/app/libraries/RainLoop/Service.php(130): RainLoop\\ServiceActions->ServiceJson()\n#1 /var/www/mydomain1.tld/snappymail/snappymail/v/2.18.3/app/libraries/RainLoop/Service.php(15): RainLoop\\Service::RunResult()\n#2 /var/www/mydomain1.tld/snappymail/snappymail/v/2.18.3/include.php(169): RainLoop\\Service::Handle()\n#3 /var/www/mydomain1.tld/snappymail/index.php(11): include('/var/www/...')\n#4 {main}

[the-djmaze]

Cookie “smtoken” has been rejected because it is in a cross-site context and its “SameSite” is “Lax” or “Strict”.

Right, there the security kicks in.
Somehow your iframe setup is in a cross-site setup and then the cookies fail.

Say, someone creates an iframe for your webmail on yourdomainname.fake.com.
Then the page that loads the iframe can read cookies.
Now the cookie is blocked/rejected.

I've made a small change to the code so that you can change Strict into Lax or None as the cookies are httponly anyway to prevent JavaScript sniffing.

P.S. keep in mind that None will be restricted that everything must be https.

[sonnyka]

I applied the diffs of commit 69ae65b.

Furthermore, I added

[security]
cookie_samesite = "None"

I can confirm that now everything works fine, no more Invalid Token error occurs. Thank you very much! :-)

[sonnyka]

Hi,

could it be that #719 changed the behavior of the
cookie_samesite = "None"
setting or cookie behavior?

After updating to 2.24.3 login via an I-Frame again is not longer possible.
Error: Unbekannter Fehler (Unknown Error)

Firefox Console says:
Cookie “smctoken” has been rejected because it is in a cross-site context and its “SameSite” is “Lax” or “Strict”.

Config says:
cookie_samesite = "None"

[sonnyka]

Any news on this issue?

[the-djmaze]

Looking into it

[sonnyka]

Thank you, unfortunately it did not solve my issue.

When trying to log in in an IFrame I still get "Unknown Error".

Browser Console says
{ "Action": "Login", "Result": false, "ErrorCode": 999, "ErrorMessage": "0 - Missing smctoken", "ErrorMessageAdditional": "", "epoch": 1675328768 }

Cookies successufully set are
{ "Request Cookies": { "smaccount": "WyJjMjlrYVhWdCIsImhSU.......", "smsession": "16d7c9db....", "smtoken": "d722..." } }

[the-djmaze]

When smctoken is missing you didn't open /snappymail/ index before login attempt or it still refuses to set the cookie for some reason.

[sonnyka]

Just double checked:

• I definitively opened /snappymail/
• You are correct, no cookie smctoken is set when calling the index /snappymail/

Here the HTTP answer of calling /snappymail/ (Domain name edited by me for anonymity)

HTTP/1.1 200 OK 
Date: Thu, 02 Feb 2023 09:48:20 GMT
Server: Apache/2.4.54 (Debian)
Strict-Transport-Security: max-age=31536000
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
Content-Security-Policy: base-uri 'self'; default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-b0d60ad0-625c-496a-a2c8-6bd31a5e4b15'; img-src 'self' data: https: http:; style-src 'self' 'unsafe-inline'; frame-src ancestors 'self' https://organizr.SOMEDOMAIN.TLD
X-XSS-Protection: 1; mode=block
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu, 02 Feb 2023 09:48:20 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
imagetoolbar: no
Service-Worker-Allowed: /
Content-Length: 30905
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

Request header:

GET /snappymail/ HTTP/1.1
Host: www.SOMEDOMAIN2.TLD
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: de-DE,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://organizr.SOMEDOMAIN.TLD
Cookie: smtoken=d722da412d...; smsession=16d7c9...; smaccount=WyJjMjlrYVhWdCIsImhSUTRrc1NJNzlVUHYzY3BiMEpmQjh1dW5aN...
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site

[the-djmaze]

1. Open snappymail/v/N.N.N/static/js/boot.js
2. Replace samesite=strict with samesite=lax
3. Open application.ini
4. Set [debug] javascript to On

Try again.

[sonnyka]

• Did 1..4
• No change, still "unknown error"

Log

[2023-02-02 18:24:36.738][c3667180] [INFO]: [SM:2.25.1][IP:2a02:8071:X][PID:118160][Apache/2.4.54 (Debian)][apache2handler][Streams:tcp,udp,unix,udg,ssl,tls,tlsv1.0,tlsv1.1,tlsv1.2,tlsv1.3][POST https://www.X.de/snappymail/?/Json/&q[]=/0/]
 [2023-02-02 18:24:36.740][c3667180] JSON[INFO]: Action: DoLogin
 [2023-02-02 18:24:36.740][c3667180] POST[INFO]: {"Email":"[email protected]","Password":"*******","Language":"","SignMe":"1","Action":"Login","XToken":"e1b0f43b207f4d..."}
 [2023-02-02 18:24:36.742][c3667180] IMAP[INFO]: Start connection to "ssl://imap.X.tld:993"
 [2023-02-02 18:24:36.756][c3667180] IMAP[INFO]: Connect (success)
 [2023-02-02 18:24:36.756][c3667180] IMAP[DEBUG]: 0.014297962188721 (raw connection)
 [2023-02-02 18:24:36.757][c3667180] IMAP[INFO]: < * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready.\r\n
 [2023-02-02 18:24:36.757][c3667180] IMAP[DEBUG]: 0.015249967575073 (*)
 [2023-02-02 18:24:36.758][c3667180] IMAP[INFO]: > TAG1 AUTHENTICATE PLAIN *******\r\n
 [2023-02-02 18:24:36.772][c3667180] IMAP[INFO]: < TAG1 OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY STATUS=SIZE SAVEDATE LITERAL+ NOTIFY SPECIAL-USE] Logged in\r\n
 [2023-02-02 18:24:36.772][c3667180] IMAP[DEBUG]: 0.014828205108643 (TAG1)
 [2023-02-02 18:24:36.773][c3667180] Crypt[ERROR]: Sodium Missing smctoken
 [2023-02-02 18:24:36.773][c3667180] Crypt[DEBUG]: openssl_encrypt() with cipher aes-256-cbc-hmac-sha1
 [2023-02-02 18:24:36.773][c3667180] Crypt[ERROR]: OpenSSL Missing smctoken
 [2023-02-02 18:24:37.733][c3667180] SERVICE[WARNING]: Missing smctoken
 #0 /var/www/X.tld/snappymail/snappymail/v/2.25.1/app/libraries/snappymail/crypt.php(232): SnappyMail\Crypt::Passphrase()
 #1 /var/www/X.tld/snappymail/snappymail/v/2.25.1/app/libraries/snappymail/crypt.php(122): SnappyMail\Crypt::XxteaEncrypt()
 #2 /var/www/X.tld/snappymail/snappymail/v/2.25.1/app/libraries/RainLoop/Actions/UserAuth.php(348): SnappyMail\Crypt::Encrypt()
 #3 /var/www/X.tld/snappymail/snappymail/v/2.25.1/app/libraries/RainLoop/Actions/UserAuth.php(144): RainLoop\Actions->SetSignMeToken()
 #4 /var/www/X.tld/snappymail/snappymail/v/2.25.1/app/libraries/RainLoop/Actions/User.php(43): RainLoop\Actions->LoginProcess()
 #5 /var/www/X.tld/snappymail/snappymail/v/2.25.1/app/libraries/RainLoop/ServiceActions.php(137): RainLoop\Actions->DoLogin()
 #6 /var/www/X.tld/snappymail/snappymail/v/2.25.1/app/libraries/RainLoop/Service.php(112): RainLoop\ServiceActions->ServiceJson()
 #7 /var/www/X.tld/snappymail/snappymail/v/2.25.1/app/libraries/RainLoop/Service.php(14): RainLoop\Service::RunResult()
 #8 /var/www/X.tld/snappymail/snappymail/v/2.25.1/include.php(172): RainLoop\Service::Handle()
 #9 /var/www/X.tld/snappymail/index.php(11): include('/var/www/X...')
 #10 {main}
 [2023-02-02 18:24:37.733][c3667180] [NOTICE]: RuntimeException: Missing smctoken in /var/www/X.tld/snappymail/snappymail/v/2.25.1/app/libraries/snappymail/crypt.php:50
 Stack trace:
 #0 /var/www/X.tld/snappymail/snappymail/v/2.25.1/app/libraries/snappymail/crypt.php(232): SnappyMail\Crypt::Passphrase()
 #1 /var/www/X.tld/snappymail/snappymail/v/2.25.1/app/libraries/snappymail/crypt.php(122): SnappyMail\Crypt::XxteaEncrypt()
 #2 /var/www/X.tld/snappymail/snappymail/v/2.25.1/app/libraries/RainLoop/Actions/UserAuth.php(348): SnappyMail\Crypt::Encrypt()
 #3 /var/www/X.tld/snappymail/snappymail/v/2.25.1/app/libraries/RainLoop/Actions/UserAuth.php(144): RainLoop\Actions->SetSignMeToken()
 #4 /var/www/X.tld/snappymail/snappymail/v/2.25.1/app/libraries/RainLoop/Actions/User.php(43): RainLoop\Actions->LoginProcess()
 #5 /var/www/X.tld/snappymail/snappymail/v/2.25.1/app/libraries/RainLoop/ServiceActions.php(137): RainLoop\Actions->DoLogin()
 #6 /var/www/X.tld/snappymail/snappymail/v/2.25.1/app/libraries/RainLoop/Service.php(112): RainLoop\ServiceActions->ServiceJson()
 #7 /var/www/X.tld/snappymail/snappymail/v/2.25.1/app/libraries/RainLoop/Service.php(14): RainLoop\Service::RunResult()
 #8 /var/www/X.tld/snappymail/snappymail/v/2.25.1/include.php(172): RainLoop\Service::Handle()
 #9 /var/www/X.tld/snappymail/index.php(11): include('/var/www/X...')
 #10 {main}
 [2023-02-02 18:24:37.733][c3667180] JSON[INFO]: {"Action":"Login","Result":false,"ErrorCode":999,"ErrorMessage":"0 - Missing smctoken","ErrorMessageAdditional":"","epoch":1675358677}
 [2023-02-02 18:24:37.734][c3667180] IMAP[INFO]: > TAG2 LOGOUT\r\n
 [2023-02-02 18:24:37.734][c3667180] IMAP[INFO]: < * BYE Logging out\r\n
 [2023-02-02 18:24:37.734][c3667180] IMAP[INFO]: < TAG2 OK Logout completed (0.001 + 0.000 secs).\r\n
 [2023-02-02 18:24:37.734][c3667180] IMAP[DEBUG]: 0.00067591667175293 (TAG2)
 [2023-02-02 18:24:37.734][c3667180] IMAP[INFO]: Disconnected from "ssl://imap.X.tld:993" (success)
 [2023-02-02 18:24:37.734][c3667180] IMAP[DEBUG]: 0.99230098724365 (net session)
 [2023-02-02 18:24:37.734][c3667180] [INFO]: Memory peak usage: 2MB
 [2023-02-02 18:24:37.735][c3667180] [INFO]: Time delta: 1.0016028881073

[robmies1968]

I am having the same problem, although Snappymail opens in an iFrame, when run on localhost. I have it integrated in a Yii2 application and with Sso.
On my cloudserver it refuses to authenticate (with message: Invalid token Server message: CSRF failed).
Replaced samesite=strict with samesite=lax.
CSRF protection is Off.
Firefox console errors as shown in image:

It is in Dutch, but translated it sounds like something: Some cookies abuse the recommended "SameSite"
Cookie 'smtoken' was rejected because it is in a cross-site context and the 'SameSite' is 'Lax' or 'Strict'.

Does this sound as something that is solvable?

[the-djmaze]

1. Which domain has the iframe?
2. Where is the iframe pointing to?

As in my example above:

1. https://snappymail.eu/tests/iframe.html
2. https://snappymail.eu/demo/

[sonnyka]

The problem seems to be that the cookie smctoken is defined strict no matter if changed in boot.js:

Version 2.26.2
boot.js

// doc.cookie = `smctoken=${smctoken};path=${doc.location.pathname};samesite=strict;secure";
doc.cookie = 'smctoken='+smctoken+";path=/;samesite=lax";
// doc.cookie = 'smctoken='+smctoken+";path=/;samesite=strict";

Chrome Console when opening NOT in IFrame:

• Checked with grep -ri smctoken . if I can find more locations where the cookie is set. Found min/boot.min.js - changed it to lax, too, but no difference
• Erased browser cache, no change

I have now idea why smctoken is still set with strict.

[robmies1968]

The problem seems to be that the cookie smctoken is defined strict no matter if changed in boot.js:

Version 2.26.2 boot.js

// doc.cookie = `smctoken=${smctoken};path=${doc.location.pathname};samesite=strict;secure";
doc.cookie = 'smctoken='+smctoken+";path=/;samesite=lax";
// doc.cookie = 'smctoken='+smctoken+";path=/;samesite=strict";

Chrome Console when opening NOT in IFrame:

* Checked with `grep -ri smctoken .` if I can find more locations where the cookie is set. Found min/boot.min.js - changed it to `lax`, too, but no difference

* Erased browser cache, no change

I have now idea why smctoken is still set with strict.

I did a search too, on 'smctoken', and it appears (together with the strict value) in lines 35 and 42 of boot.js. In Api.js (line 113) it seems the default setting is set to Strict. But that is only usefull when using the Api.
In Rainloop\Utils.php (line 11) there is a static property with the name $CookieSameSite set to Strict.
Also in app.js (line 4995 and 10201) is does something with a cookie and strict.
Changing all these to 'None' might not be the wisest option, I gather. I hope someone has suggestions?

[the-djmaze]

Is your <iframe> on site-a.com and requesting site-b.com?
Like: site-a.com/iframe.html <iframe src="https://site-b.com/"></iframe>

Then currently it is not possible due to cross-domain security.

You are on the right path with SameSite=None cookies, but must also specify Secure, meaning they require a secure context.
The problem with this, is that everyone could have an iframe on any website to embed your SnappyMail and read the cookies.

[robmies1968]

Is your <iframe> on site-a.com and requesting site-b.com? Like: site-a.com/iframe.html <iframe src="https://site-b.com/"></iframe>

Then currently it is not possible due to cross-domain security.

You are on the right path with SameSite=None cookies, but must also specify Secure, meaning they require a secure context. The problem with this, is that everyone could have an iframe on any website to embed your SnappyMail and read the cookies.

I have the <iframe> on the same site. So the reference is: "https://localhost/xxx/xxx/xxx/snappymail/index.php"
And all of a sudden it works! Unfortunately, I have changed so many things at once, that I don't know what caused it. :(

[the-djmaze]

localhost is mostly also an issue in browsers and then sometimes 127.0.0.1 does work

[sonnyka]

I can confirm that manually editing the cookie smctoken by making it samesite=none and secure utilizing a cookie editor for the browser makes Snappymail run smoothly within an iframe environment.

What I did:

• Organizr runs on website www.site1.tld
• Snappymail runs on website www.site2.tld
• Organizr embeds snappymail within an iframe
• Set cookie_samesite = None in application.ini
• Surf to www.site2.tld (this sets the cookie smctoken)
• Edit cookie smctoken being samesite=none and secure with a browser cookie editor
• Surf to www.site1.tld with iframe embedded www.site2.tld, then Login in snappymail
• Everything works fine

However, whatever I do editing v/X.X.X/static/js/boot.js, e.g

doc.cookie = 'smctoken='+smctoken+";path=/;samesite=none;secure"; 

it DOES not work, smctoken is always set with strict and non-secure.

@the-djmaze
I am not convinced setting cookies with samesite=none MUST be a security issue - although I agreee that it is more bulletproof to set it to samesite. However, I think this should be up to configuration and not hardcoded.

Another thing: Setting

content_security_policy = "frame-src ancestors 'self' https://www.site1.tld"

disallows any other site that www.site1.tld to embed snappymail (www.site2.tld).
Or what am I misunderstanding?

[the-djmaze]

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src

frame-src directive specifies valid sources for nested browsing contexts

So this controls iframes on site2.tld are allowed, but does not control if site1.tld is allowed as parent.

For what you want read: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

[sonnyka]

I see, thank you for pointing that out! Good sources!

So I should better change

content_security_policy = "frame-src ancestors 'self' https://www.site1.tld"

to

content_security_policy = "frame-ancestors 'self' https://www.site1.tld"

Thank you @the-djmaze :-)

[sonnyka]

Ha, that was actually also the problem with setting the cookie smctoken:

• I changed it to content_security_policy = "frame-ancestors 'self' https://www.site1.tld"
• I changed doc.cookie = 'smctoken='+smctoken+";path=/;samesite=none;secure";
• Works like a charm now.

Thank you, @the-djmaze, you are my hero! And I really love how actively and reliably you maintain this wonderful project. Thank you so much!

[robmies1968]

Same here! Have changed everything backed and made only the changes mentioned by @sonnyka .
Unfortunately, now the SSO fails to work. I will look into that later...
Thanks all of you!