Lychee Version 6.x do not work in IFRAME

[susoftch]

Hello,
I have running a Lychee installation Version 4.3 on a domain in a webhosting that are
showed in a IFRAME on a webpage.
Now on the same webhosting server, I have installed the newst version 6.6 of Lychee and this are not work in a IFRAME.
Any hints for this issue?

kind regards from central Switzerland
Andreas

[ildyria]

I am not sure why you need to display Lychee in an iframe. Especially given that there is now the "back home" configuration which allows you to select where you redirect the user.

After diving deeper, this is indeed due to security headers. I would not recommend to use Lychee in an iframe to be honest as this really messes up the policies on cookies etc.

[ildyria]

#3343 < Fixes incomming.
You will need to set some extra environment variables, namely:

SECURITY_HEADER_CSP_FRAME_ANCESTORS=url of the website having the iframe
SESSION_SECURE_COOKIE=true

[susoftch]

Hello and thanks for your fast answer, I will use Lychee in a CMS as Fotogallery, therefore I need a way to implement Mit freundlichen Grüssen / with kind regards Andreas Suter Am Mi., 14. Mai 2025 um 12:29 Uhr schrieb Benoît Viguier < ***@***.***>:

…

I am not sure why you need to display Lychee in an iframe. Especially given that there is now the "back home" configuration which allows you to select where you redirect the user. After diving deeper, this is indeed due to security headers. I would not recommend to use Lychee in an iframe to be honest as this really messes up the policies on cookies etc. — Reply to this email directly, view it on GitHub <#3342 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB4HPAS75EAQTOGCSOKZQF326MLIRAVCNFSM6AAAAAB5C5PWDCVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTGMJUGMZDGNA> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[susoftch]

Hello, I'm not shure, but this also does not work. I have put the extra variables into the .env file. But this also not work url of the Webpage https://alpegruess.ch url of Lychee: https://alpegruess.ch/lychee/public/gallery and Sorry, both in German :-) [image: image.png] Mit freundlichen Grüssen / with kind regards Andreas Suter Am Mi., 14. Mai 2025 um 13:09 Uhr schrieb Benoît Viguier < ***@***.***>:

…

#3343 <#3343> < Fixes incomming. You will need to set some extra environment variables, namely: SECURITY_HEADER_CSP_FRAME_ANCESTORS=url of the website having the iframe SESSION_SECURE_COOKIE=true — Reply to this email directly, view it on GitHub <#3342 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB4HPARY5FSISZ6MGQQQHHL26MP63AVCNFSM6AAAAAB5C5PWDCVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTGMJUGM3DANI> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[ildyria]

I said fix incoming. It is not available yet...

[ildyria]

Fixed. https://github.com/LycheeOrg/Lychee/releases/tag/v6.6.2

[susoftch]

oK, big sorry.... Mit freundlichen Grüssen / with kind regards Andreas Suter Am Mi., 14. Mai 2025 um 18:34 Uhr schrieb Benoît Viguier < ***@***.***>:

…

I said fix *incoming*. It is not available yet... — Reply to this email directly, view it on GitHub <#3342 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB4HPAX2YL3Y5W5FZM3NQED26NWC7AVCNFSM6AAAAAB5C5PWDCVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTGMJUG42TMOI> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[susoftch]

Hello, Yesterday have updated to the newest version, but the issue are not resolved, what I'm doing wrong?
Here are the part of the config, that I have changed:
SECURITY_HEADER_HSTS_ENABLE=false
SECURITY_HEADER_CSP_CONNECT_SRC=
SECURITY_HEADER_SCRIPT_SRC_ALLOW=
SECURITY_HEADER_CSP_CHILD_SRC=
SECURITY_HEADER_CSP_FONT_SRC=
SECURITY_HEADER_CSP_FRAME_ANCESTORS=https://www.alpengruess.ch
SECURITY_HEADER_CSP_FORM_ACTION=
SECURITY_HEADER_CSP_FRAME_SRC=
SECURITY_HEADER_CSP_IMG_SRC=
SECURITY_HEADER_CSP_MEDIA_SRC=
SESSION_SECURE_COOKIE=true

[ildyria]

can you switch to the nightly tag ? I don't remember if the release has the injection built it or not anymore.
I would also advise you to look into the network tab & console log of your web browser (F12) to see what kind of errors you are getting with regard to the iframe.
I do think SECURITY_HEADER_CSP_FRAME_ANCESTORS need to start with https://

[susoftch]

Hello and many thanks, now this work as expected!