Home Explore Help
Sign In
yunoadmin
/
bambuddy
mirror of https://github.com/maziggy/bambuddy
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

fix: relax X-Frame-Options to SAMEORIGIN so same-origin iframes load

  The security-headers middleware added in 0.2.3b4 set X-Frame-Options: DENY
  on every response, which blocked the Spoolman page iframe when Spoolman
  was served from the same host as Bambuddy via a reverse proxy. Relaxed
  to SAMEORIGIN — same-origin embedding works again, cross-origin
  clickjacking protection is preserved.
maziggy 1 month ago
parent
de7fff0be4
commit
f1483f525d
2 changed files with 2 additions and 1 deletions
Unified View Show Diff Stats
  1. 1 0
      CHANGELOG.md
  2. 1 1
      backend/app/main.py

+ 1 - 0
CHANGELOG.md
View File 

@@ -7,6 +7,7 @@ All notable changes to Bambuddy will be documented in this file.
 
 ### Fixed
 
 ### Fixed
 
 - **Clear Plate Confirmation Bypassed on Power Cycle** ([#961](https://github.com/maziggy/bambuddy/issues/961)) — With Auto Off enabled and another job queued, the smart plug would cut power when a print finished and immediately re-power when the scheduler saw the queue, at which point the printer booted fresh into `IDLE` and the next job auto-dispatched without the "Clear Plate & Start Next" confirmation. Root cause: the plate-cleared gate lived only in the in-memory `PrinterManager._plate_cleared` set, and the scheduler's idle check treated `IDLE` as always-idle regardless of whether a previous finish had been acknowledged — so the gate was lost across both Bambuddy restarts and the IDLE-on-boot state transition. The gate is now an `awaiting_plate_clear` column on the `printers` table, set by `on_print_complete` when a print finishes or fails, cleared by the `/printers/{id}/clear-plate` endpoint and by the scheduler when it dispatches the next job, and rehydrated from the DB into `PrinterManager` on startup. `_is_printer_idle` now short-circuits to not-idle whenever `require_plate_clear` is on and the printer is awaiting ack, regardless of the currently reported state — so the prompt survives Auto Off cycles, Bambuddy restarts, and the printer booting back into `IDLE`. The clear-plate endpoint no longer requires the printer to currently report `FINISH`/`FAILED` (it accepts the ack whenever the awaiting flag is set), and the Printers page widget prompts based on the flag rather than the reported state. Thanks to @miaopas for reporting.
 
 - **Clear Plate Confirmation Bypassed on Power Cycle** ([#961](https://github.com/maziggy/bambuddy/issues/961)) — With Auto Off enabled and another job queued, the smart plug would cut power when a print finished and immediately re-power when the scheduler saw the queue, at which point the printer booted fresh into `IDLE` and the next job auto-dispatched without the "Clear Plate & Start Next" confirmation. Root cause: the plate-cleared gate lived only in the in-memory `PrinterManager._plate_cleared` set, and the scheduler's idle check treated `IDLE` as always-idle regardless of whether a previous finish had been acknowledged — so the gate was lost across both Bambuddy restarts and the IDLE-on-boot state transition. The gate is now an `awaiting_plate_clear` column on the `printers` table, set by `on_print_complete` when a print finishes or fails, cleared by the `/printers/{id}/clear-plate` endpoint and by the scheduler when it dispatches the next job, and rehydrated from the DB into `PrinterManager` on startup. `_is_printer_idle` now short-circuits to not-idle whenever `require_plate_clear` is on and the printer is awaiting ack, regardless of the currently reported state — so the prompt survives Auto Off cycles, Bambuddy restarts, and the printer booting back into `IDLE`. The clear-plate endpoint no longer requires the printer to currently report `FINISH`/`FAILED` (it accepts the ack whenever the awaiting flag is set), and the Printers page widget prompts based on the flag rather than the reported state. Thanks to @miaopas for reporting.
 
 - **Insecure Temp File Creation in Backup Export** — The manual backup download endpoint used `tempfile.mktemp()`, which is vulnerable to a symlink race condition (CWE-377). Replaced with `tempfile.mkstemp()` which atomically creates the file, eliminating the TOCTOU window.
 
 - **Insecure Temp File Creation in Backup Export** — The manual backup download endpoint used `tempfile.mktemp()`, which is vulnerable to a symlink race condition (CWE-377). Replaced with `tempfile.mkstemp()` which atomically creates the file, eliminating the TOCTOU window.
 
+- **Spoolman Iframe Blocked After 0.2.3b4 Security Headers** — The Spoolman page (Inventory → Spoolman iframe) failed to load when Spoolman was served from the same host as Bambuddy via a reverse proxy. The security-headers middleware added in 0.2.3b4 set `X-Frame-Options: DENY` on every response, which blocked even same-origin iframing. Relaxed to `SAMEORIGIN` so Spoolman (and any other same-origin tool behind the same reverse proxy) can be embedded again, while still preventing cross-origin clickjacking.
 
 
 
 
 
 ## [0.2.3b3] - 2026-04-12
 
 ## [0.2.3b3] - 2026-04-12

+ 1 - 1
backend/app/main.py
View File 

@@ -4047,7 +4047,7 @@ async def security_headers_middleware(request, call_next):
 
     """Add standard HTTP security headers to every response."""
 
     """Add standard HTTP security headers to every response."""
 
     response = await call_next(request)
 
     response = await call_next(request)
 
     response.headers["X-Content-Type-Options"] = "nosniff"
 
     response.headers["X-Content-Type-Options"] = "nosniff"
 
-    response.headers["X-Frame-Options"] = "DENY"
 
+    response.headers["X-Frame-Options"] = "SAMEORIGIN"
 
     response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
 
     response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
 
     return response
 
     return response