OAuth login when roundcube is embedded in iframe

[rskrzypczak]

Correct me if I'm wrong, but OAuth logging doesn't work when roundcube is loaded in an iframe.
Redirect to accounts.google.com opens in the same window, and google doesn't allow it.

Refused to display 'https://accounts.google.com/' in a frame because it set 'X-Frame-Options' to 'deny'.

Why not add an option to open authentication sites in pop-up window?

[iotalol]

That isnt a roundcube issue, You can actually do this your self lol. You can add the following to your nginx config
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Frame-Options "DENY";

[rskrzypczak]

I have to disagree.
It was google that set the X-Frame-Options parameter, preventing it from displaying its content in the iframe.
I have nothing to say here.
Let me remind you that we are talking about google OAuth screen, not the roundcube itself.

[iotalol]

Well... RoundCube isn't/wasn't intended for OAUTH2 Logins, You also probably cannot fix this issue as Google is the one that set those headers

[thomascube]

Yes, the redirect method used by the OAuth login flow is not meant to work from within iframes. And pop-up windows aren't really a better choice because most browsers block pop-ups by default. A proper approach to solve this has yet to be researched but I acknowledge the problem.