X-FRAME-OPTIONS and Web Type Monitors

Forum for questions and support relating to the 1.32.x releases only.
Post Reply
Pedulla
Posts: 133
Joined: Thu Nov 27, 2014 11:16 am
Location: Portland, Or

X-FRAME-OPTIONS and Web Type Monitors

Post by Pedulla » Thu Nov 15, 2018 6:34 am

Absolutely love the Web Type monitor.
I want to use it for PTZ control direct from the cameras web admin interface. Not all features are mapped/scripted in the ZM PTZ scripts and the response time will be much better.
But... my cameras firmware (Hikvision not that it matters for this post) does not allow a browser to load the admin page in an iframe.

I get it's a security feature and what I'm asking for is the same technique used in click-jacking, so I don't need the finger wag... ;) and yes it is mentioned in the docs.

There are header modification extension/plugins for chrome like Requestly that would need to be tackled on a per workstation basis; not ideal but doable.

I've seen some code for proxying the request (I'm no programmer) but I think it would work something like a static page on the ZM server that you make the source for the Web type monitor and pass the cameras URL as a parameter in the source line.

Has anyone work a way around this issue?
Care to share how you did it?

I'd be happy to document the solution in the User Contribution section.

Essentials: UB18.04, ZM1.32.2

User avatar
knight-of-ni
Posts: 2223
Joined: Thu Oct 18, 2007 1:55 pm
Location: Shiloh, IL

Re: X-FRAME-OPTIONS and Web Type Monitors

Post by knight-of-ni » Thu Nov 15, 2018 2:05 pm

Glad to hear I'm not the only one who finds this feature useful, but I'm not sure I understand what the issue is.

Here is the workflow for setting up a website monitor:
  • set up monitor of type "website"
  • Observe the website does not show in the monitor and ZoneMinder logs an X-FRAME-OPTIONS warning
  • load an "Ignore X-Frame Headers" plugin for your browser
  • Observe the website "camera" now works
  • Go to Options -> Web and turn off ZM_WEB_XFRAME_WARN
That is all there is to it. No need to set up a proxy.
See the help text for ZM_WEB_XFRAME_WARN.
Visit my blog for ZoneMinder related projects using the Raspberry Pi, Orange Pi, Odroid, and the ESP8266
All of these can be found at https://zoneminder.blogspot.com/

Pedulla
Posts: 133
Joined: Thu Nov 27, 2014 11:16 am
Location: Portland, Or

Re: X-FRAME-OPTIONS and Web Type Monitors

Post by Pedulla » Thu Nov 15, 2018 7:26 pm

Browser plugin works for desktop browsers only (as far as I've been able to tell).
My theory is that if it were done on the web server as some sort of "request pass-through proxy thing" page (Sorry, don't know what to call it), it would be available on any platform.

Here is a screen shot of my implementation of it (using Requestly in Chrome)
A group call PTZ Control in Montage view.
Screenshot at 2018-11-15 11-17-46.png
Screenshot at 2018-11-15 11-17-46.png (724.2 KiB) Viewed 640 times



LOL! - note the problem in the top right where the status reflects stopped, but it's very much running.

Couple of notes about this implementation with Hikvision. I use linux stations everywhere and an occasional Mac. Hikvision has a Winblows only browser plugin (note the broken pic top left of the hikvision window), but that does not prevent one from going directly to the cameras web-admin interface and opening up the PTZ controls.

User avatar
knight-of-ni
Posts: 2223
Joined: Thu Oct 18, 2007 1:55 pm
Location: Shiloh, IL

Re: X-FRAME-OPTIONS and Web Type Monitors

Post by knight-of-ni » Fri Nov 16, 2018 1:29 am

For website cameras, zoneminder merely presents a url for the client browser to retrieve.
So if it were possible to strip out the x-frame-options from the target website, it would have to be done between the client browser and the target website ...i.e. a proxy running on your firewall or something like that. Maybe you know that already and I'm just catching up.

I've never done anything like that but I would not be surprised if that were certainly possible. Maybe someone will chime in who has done something like this before. It might be worth like into something like squid proxy.
Visit my blog for ZoneMinder related projects using the Raspberry Pi, Orange Pi, Odroid, and the ESP8266
All of these can be found at https://zoneminder.blogspot.com/

Pedulla
Posts: 133
Joined: Thu Nov 27, 2014 11:16 am
Location: Portland, Or

Re: X-FRAME-OPTIONS and Web Type Monitors

Post by Pedulla » Sun Nov 18, 2018 7:56 am

So Asker kicked in on Slack and got me down the path of a reverse proxy. Note, this reverse proxy method is not working but because of my non-guru status when it comes to Apache, I thought I'd share and see if someone could fill in the blanks or suggest a better way to do it.

After a2enmod'ing proxy and http_proxy I added the following lines to my apache2.conf

Code: Select all

ProxyPass "/ptz"         "http://192.0.0.26/"
        ProxyPass "/doc"         "http://192.0.0.26/doc"
        ProxyPass "/doc/page"    "http://192.0.0.26/doc/page"
        ProxyPass "/doc/script"  "http://192.0.0.26/doc/script"
        ProxyPass "/doc/script/common" "http://192.0.0.26/doc/script/common"
        ProxyPass "/doc/script/config" "http://192.0.0.26/doc/script/config"
        ProxyPass "/doc/script/isapi" "http://192.0.0.26/doc/script/isapi"

        ProxyPass "/doc/script/lib" "http://192.0.0.26/doc/script/lib"
        ProxyPass "/doc/script/lib/angularjs/angularjs" "http://192.0.0.26/doc/script/lib/angularjs/angularjs"
        ProxyPass "/doc/script/lib/encryption" "http://192.0.0.26/doc/script/lib/encryption"

        ProxyPass "/doc/script/lib/jquery" "http://192.0.0.26/doc/script/lib/jquery"
        ProxyPass "/doc/script/lib/jquery/artDialog" "http://192.0.0.26/doc/script/lib/jquery/artDialog"
        ProxyPass "/doc/script/lib/jquery/cookie" "http://192.0.0.26/doc/script/lib/jquery/cookie"
        ProxyPass "/doc/script/lib/jquery/jquery" "http://192.0.0.26/doc/script/lib/jquery/jquery"
        ProxyPass "/doc/script/lib/jquery/layout" "http://192.0.0.26/doc/script/lib/jquery/layout"
Each path the camera's web interface may need to traverse needs to be spelled out, so this is what a Hikvision camera looks like. I got this by inspecting the page code from the browser.

For testing I'm just using this path:

Code: Select all

http://zm-ip/ptz
At this point, I can bring up the camera's log-in screen inside a browser, but after logging in I receive the Hikvision famous "network abnormal" error, which basically means it think's something is jacked up on the network, like duplicate IP's or other fundamental network issues.

So if I'm going about this all wrong, I'd be happy to accept correction.

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests