RECIPE: Embedding Mattermost in web applications using an iframe [unsupported recipe]

A request that’s come up from time to time is how to embed Mattermost in web applications using an iframe.

Any web application embedded into another using an iframe is at risk of security exploits, since the outer application intercepts all user input into the embedded application, an exploit known as Click-Jacking. By default, Mattermost disables embedding.

If you choose to embed Mattermost using the following instructions we highly recommend it is done only on a private network that you control.

To embed Mattermost in an iframe update your NGINX configuration to strip out the security policy settings in the HTTP header.

Replace all occurrences of the following line in your proxy config:

proxy_set_header X-Frame-Options SAMEORIGIN

With the following two lines:

proxy_hide_header Content-Security-Policy;
proxy_hide_header X-Frame-Options;

You can view related forum posts here.


These directives would allow embedding only from the specific origin https://domain.tld and should be much safer:

proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "frame-ancestors 'self' https://domain.tld; script-src 'self'";

I’m not a security expert but I guess this should be safe for production as well.