[GH-ISSUE #1191] [Enhancement]: x-frame-options and frame-ancestors headers break Home Assistant iframe embedding for local deployments #862

New issue

Closed

opened 2026-05-07 00:14:29 +02:00 by BreizhHardware · 1 comment

BreizhHardware commented 2026-05-07 00:14:29 +02:00

Owner

Copy link

Originally created by @azurusnova on GitHub (May 2, 2026).
Original GitHub issue: https://github.com/maziggy/bambuddy/issues/1191

Originally assigned to: @maziggy on GitHub.

Component

Bambuddy

Bug Description

The security headers added in recent versions (x-frame-options: SAMEORIGIN and frame-ancestors 'none' in the Content-Security-Policy) break Bambuddy's ability to be embedded in Home Assistant's Webpage dashboard panel for users running both on a local network.

Bambuddy is running as a local add-on on Home Assistant OS on the same LAN as the HA instance with no external exposure. The HA Webpage dashboard panel is used to embed Bambuddy directly into the HA sidebar, making it accessible from both the desktop browser and the HA mobile app without needing to open a separate browser tab or remember a separate URL.

Since the security headers were introduced, the browser blocks Bambuddy from loading inside HA's iframe panel. The root cause was confirmed via curl:

x-frame-options: SAMEORIGIN
content-security-policy: ... frame-ancestors 'none';

frame-ancestors 'none' completely blocks embedding from any origin, including same-LAN trusted sources. Since HA runs on port 8123 and Bambuddy on port 8000, they are treated as different origins even on the same machine. Bambuddy works fine when accessed directly in a browser tab — the issue is exclusively with iframe embedding.

Expected Behavior

Bambuddy should load inside Home Assistant's Webpage dashboard panel (iframe) when both services are running on the same local network. Prior to the security headers being added, this worked without issue.

Ideally an environment variable such as ALLOW_IFRAME=true or TRUSTED_FRAME_ORIGINS should be available so users running Bambuddy in trusted local environments can disable or relax these headers without affecting the default secure behavior for internet-exposed deployments.

Steps to Reproduce

1. Install Bambuddy on a local network machine (in this case as a Home Assistant OS local add-on)
2. In Home Assistant, go to Settings -> Dashboards -> Add Dashboard -> Webpage
3. Enter the Bambuddy URL (e.g. http://192.168.1.x:8000)
4. Open the newly created dashboard panel in the HA sidebar
5. See "192.168.1.x refused to connect" error in the iframe

Printer Model

None

Bambuddy Version

0.2.3.2

SpoolBuddy Version

No response

Printer Firmware Version

No response

Installation Method

Docker

Operating System

Linux (Ubuntu/Debian)

Relevant Logs / Support Package

No response

Screenshots

No response

Additional Context

This affects any user who has integrated Bambuddy into Home Assistant using the Webpage dashboard panel, which is currently the recommended method for HA integration given Bambuddy does not support HA Ingress. The iframe embedding approach worked in earlier versions of Bambuddy and broke when the security headers were introduced. A simple environment variable to control this behavior would resolve the issue for local/trusted deployments while keeping the default behavior secure for externally exposed instances.

Checklist

• I have searched existing issues to ensure this bug hasn't already been reported
• I am using the latest version of Bambuddy
• My printer is set to LAN Only mode
• My printer has Developer Mode enabled

Originally created by @azurusnova on GitHub (May 2, 2026). Original GitHub issue: https://github.com/maziggy/bambuddy/issues/1191 Originally assigned to: @maziggy on GitHub. ### Component Bambuddy ### Bug Description The security headers added in recent versions (x-frame-options: SAMEORIGIN and frame-ancestors 'none' in the Content-Security-Policy) break Bambuddy's ability to be embedded in Home Assistant's Webpage dashboard panel for users running both on a local network. Bambuddy is running as a local add-on on Home Assistant OS on the same LAN as the HA instance with no external exposure. The HA Webpage dashboard panel is used to embed Bambuddy directly into the HA sidebar, making it accessible from both the desktop browser and the HA mobile app without needing to open a separate browser tab or remember a separate URL. Since the security headers were introduced, the browser blocks Bambuddy from loading inside HA's iframe panel. The root cause was confirmed via curl: x-frame-options: SAMEORIGIN content-security-policy: ... frame-ancestors 'none'; frame-ancestors 'none' completely blocks embedding from any origin, including same-LAN trusted sources. Since HA runs on port 8123 and Bambuddy on port 8000, they are treated as different origins even on the same machine. Bambuddy works fine when accessed directly in a browser tab — the issue is exclusively with iframe embedding. ### Expected Behavior Bambuddy should load inside Home Assistant's Webpage dashboard panel (iframe) when both services are running on the same local network. Prior to the security headers being added, this worked without issue. Ideally an environment variable such as ALLOW_IFRAME=true or TRUSTED_FRAME_ORIGINS should be available so users running Bambuddy in trusted local environments can disable or relax these headers without affecting the default secure behavior for internet-exposed deployments. ### Steps to Reproduce 1. Install Bambuddy on a local network machine (in this case as a Home Assistant OS local add-on) 2. In Home Assistant, go to Settings -> Dashboards -> Add Dashboard -> Webpage 3. Enter the Bambuddy URL (e.g. http://192.168.1.x:8000) 4. Open the newly created dashboard panel in the HA sidebar 5. See "192.168.1.x refused to connect" error in the iframe ### Printer Model None ### Bambuddy Version 0.2.3.2 ### SpoolBuddy Version _No response_ ### Printer Firmware Version _No response_ ### Installation Method Docker ### Operating System Linux (Ubuntu/Debian) ### Relevant Logs / Support Package _No response_ ### Screenshots _No response_ ### Additional Context This affects any user who has integrated Bambuddy into Home Assistant using the Webpage dashboard panel, which is currently the recommended method for HA integration given Bambuddy does not support HA Ingress. The iframe embedding approach worked in earlier versions of Bambuddy and broke when the security headers were introduced. A simple environment variable to control this behavior would resolve the issue for local/trusted deployments while keeping the default behavior secure for externally exposed instances. ### Checklist - [x] I have searched existing issues to ensure this bug hasn't already been reported - [x] I am using the latest version of Bambuddy - [x] My printer is set to LAN Only mode - [x] My printer has Developer Mode enabled

BreizhHardware 2026-05-07 00:14:29 +02:00

• closed this issue
• added the
  enhancement
  label

BreizhHardware commented 2026-05-07 00:14:29 +02:00

Author

Owner

Copy link

@maziggy commented on GitHub (May 2, 2026):

Available/Fixed in branch dev and available with the next release or daily build. Please let me know if it works for you.

Docs -> https://wiki.bambuddy.cool/getting-started/docker/?h=embeddi#environment-variables

---

If you find Bambuddy useful, please consider giving it a ⭐ on GitHub — it helps others discover the project!

<!-- gh-comment-id:4363597620 --> @maziggy commented on GitHub (May 2, 2026): Available/Fixed in branch dev and available with the next release or daily build. Please let me know if it works for you. Docs -> https://wiki.bambuddy.cool/getting-started/docker/?h=embeddi#environment-variables ----- If you find Bambuddy useful, please consider giving it a ⭐ on [GitHub](https://github.com/maziggy/bambuddy) — it helps others discover the project!

BreizhHardware referenced this issue 2026-05-07 00:16:21 +02:00

[PR #1029] [MERGED] v0.2.3 final #1155

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

github-repo-stats

bug-report-assets

dev

0.2.4b3

0.2.4b2

0.2.4b1

pr/1114

0.2.3.2

0.2.3.1

0.2.3

0.2.3b3

0.2.3b2

0.2.3b1

0.2.2.2

0.2.2.1

0.2.2b3

0.2.2

0.2.2b2

0.2.2b1

0.2.1.1

0.2.1

0.2.1b3

0.2.1b2

0.2.1b

0.2.0

0.2.0b

0.1.5-2-ctrl

v0.2.4b4-daily.20260508

v0.2.4b2

v0.2.4b3

v0.2.4b1

v0.2.3.2

v0.2.3.1

v0.2.3

v0.2.3b3

v0.2.3b2

v0.2.3b1-daily.20260407

v0.2.3b1

v0.2.2.2

v0.2.2.1

v0.2.3b1-daily.20260318

v0.2.3b1-daily.20260317

v0.2.3b1-daily.20260316

v0.2.2

v0.2.2b4-daily.20260314

v0.2.2b4-daily.20260313

v0.2.2b3-daily.20260312

v0.2.2b3-1

v0.2.2b2

v0.2.2-b2

v0.2.2b3

v0.2.2-b1

v0.2.2b1

v0.2.1.1

v0.2.1

v0.2.1b3

v0.2.1b2

v0.2.1b

v0.2.0

v0.1.9

v0.1.8.1

v0.1.8

v0.1.7

v0.1.6.2

v0.1.6.1

v0.1.6-hotfix

v0.1.6

v0.1.6b11

v0.1.6b10

v0.1.6b9

v0.1.6b8

v0.1.6b7

v0.1.6b6

v0.1.6b5

v0.1.6b4

v0.1.6b3

v0.1.6b2

v0.1.6b

v0.1.5-final

v0.1.5b7

v0.1.5b6

v0.1.5b5

v0.1.5b4

v0.1.5b3

v0.1.5b2

v0.1.5b

v0.1.4

v0.1.3

v0.1.2-bugfix

v0.1.2-final

v0.1.2

0.1.1

Labels

Clear labels   

A1

  

automated

  

automated

  

bug

  

bug

  

Closed due to inactivity

  

contrib

  

dependencies

  

dependencies

  

duplicate

  

enhancement

  

feedback

  

hold

  

invalid

  

Notes

  

P1S

  

pull-request

Mirrored from GitHub Pull Request

  

security

  

ThumbsUp

  

user-report

  

wontfix

No labels

A1

automated

automated

bug

bug

Closed due to inactivity

contrib

dependencies

dependencies

duplicate

enhancement

feedback

hold

invalid

Notes

P1S

pull-request

security

ThumbsUp

user-report

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/bambuddy-maziggy-1#862

No description provided.