Plex Team:
Help me understand the need for you to redirect PMS’ login screen on my server? I have my own subdomain proxied to plex.domain.com and once my user goes to that page, the page is automatically forwarded to https://app.plex.tv/auth
I don’t need you in the middle of my stuff. So because of this, my proxy will no longer be able to be iFramed on my site because of what you have done.
Seriously, WTF?
+1 for this. Its stupid just doing this, i would call this a major change that requiers a email notification to notify the users.
So much this.
It’s like the entire company had a meeting at the beginning of 2017 and schemed “What are some enormously out of touch decisions we can make this year that will completely tank our brand and ruin what makes us appealing to the community?”
I’m no longer auto-updating PMS, as this just broke my site. God damnit Plex.
+1 this. This completely messes up my local server.
I have my own subdomain proxied to plex.domain.com
That’s fine – this continues to be supported.
once my user goes to that page, the page is automatically forwarded to https://app.plex.tv/auth
Correct, this is a security enhancement. To reduce phishing risks, take advantage of browser password autofill, and support optional Google/Facebook login, Plex requires that all authentication occurs on the plex.tv domain. This shouldn’t break normal scenarios.
So because of this, my proxy will no longer be able to be iFramed on my site because of what you have done.
You’re placing the Plex web app in an iframe? Why?
We explicitly must prevent users from loading the app.plex.tv authentication page in an iframe because this makes users vulnerable to clickjacking and some other cross-site scripting vulnerabilities.
Correct, this is a security enhancement. To reduce phishing risks, take advantage of browser password autofill, and support optional Google/Facebook login, Plex requires that all authentication occurs on the plex.tv domain. This shouldn’t break normal scenarios.
That is fine for your domain. We the users, control our own domains and can choose to protect it ourselves by what we deem necessary. If Plex thinks there is a seciruty risk involved with other people finding their way to our Plex App screens, why not just allow login access to accounts originating from the that PMS server.
You’re placing the Plex web app in an iframe? Why?
Why not? We build tools around this service, which in turn brings more users to this service… etc.
We explicitly must prevent users from loading the app.plex.tv authentication page in an iframe because this makes users vulnerable to clickjacking and some other cross-site scripting vulnerabilities.
This goes back to my first reply.
“Enhancement…”
This is not cool. Sooo many user are using apps like organizr, htpc manager, muximux, idashboard. Those are all useless now.
Gregflix…I’m sorry, but you’re not being entirely honest with that reply, or maybe you’re just not sure of another way.
@Gregflix said:
once my user goes to that page, the page is automatically forwarded to https://app.plex.tv/auth
Correct, this is a security enhancement. To reduce phishing risks, take advantage of browser password autofill, and support optional Google/Facebook login, Plex requires that all authentication occurs on the plex.tv domain. This shouldn’t break normal scenarios.We explicitly must prevent users from loading the app.plex.tv authentication page in an iframe because this makes users vulnerable to clickjacking and some other cross-site scripting vulnerabilities.
You mustn’t “explicitly” prevent users from loading an authentication page in an iFrame…there are many other ways that authentication can be handled to be just as secure but still allow it to work with iFrames. Literally, Microsoft has put out papers on this subject.
Also, the idea that it shouldn’t break “normal” scenarios is flawed…you didn’t even realize that people were doing this, so you can’t determine for yourself if it’s normal or it’s not. I know far more people that use Reverse Proxies and iFrame containers with their Plex setups than not…does that mean it’s the norm? Can we each establish our own norms?
You’re placing the Plex web app in an iframe? Why?
That’s not strictly relevant. People were doing it, they had reasons for doing it, and you broke it with an unannounced change.
It’s troubling to me to see that Plex employees don’t have their fingers on the pulse of the community. There is a huge collection of tools and interfaces people are using as a direct consequence of this service. It’s an ecosystem.
You’re a big boy company now. If you can have 148 different janky hardware configurations in your office to test on, you should damn well have a server running docker that has all these tools and mods running too.
You cater to an enthusiast community. If we leave, you’re boned.
Get your house in order, fellas. Your priorities have been out of whack for 18 months at least.
Yeah the fact that he was:
a) unaware that it was even a thing, and then
b) asks us why, as though he knows a better to be running our own domains
…tells me that plex has community engagement in name only, and their current trajectory is simply not sustainable.
We’re looking into mitigations that let us preserve the added security features without breaking your scenario. We still can’t allow an iframe of the login page, but something like an external popup for authentication may be possible.
Now is the time to remove the middle man. I shouldn’t need Plex to authenticate my own local server. It was tolerable in the past that Plex felt their position was between me and my media but it no longer is. Plex is now in a very precarious position that I hope they are aware of. Your user base is now with you simply because there is no alternative, you are losing loyal customers and forcing the rest to seek alternatives. The second there is a viable alternative mass exodus will occur and Plex will fall into the failed solutions pile along with Boxee.
Yep broke my server too. Have to pop the entire Plex page out of my normally integrated website to be able to log in. Rediculous change.
So who is building the plex replacement ?
@Gregflix so why the sudden change on how the auth works? what happens when plex.tv goes down again? that means my family members cant login to my server by going to my subdomain. I to use a site to bring everything together on one domain. but because of the app.plex.tv reload, unless you are previously logged into my plex.domain.com, the only way around it is a pop out.
I understand security and MITM possible issues, but out of curiosity, just like many other self hosted apps, doesnt this slightly break the meaning of self-hosted? Several of the apps I use host an heavily encrypted version of the password so that if the External Auth DOES go down, you can still use the app. I personally do not want to whitelist anything and use the auth.
Just trying to spark conversation.
I’m also affected by this change and would prefer a different solution.
if you could read a header set by our webservers, that would helpful.
if you could read a header set by our webservers, that would helpful.
We’re currently looking at doing a JS check to see if the web app is being iframed. If it’s iframed, it would use the popup version of authentication instead of redirecting the iframe. That already exists – if you try to sign in with Safari in an InPrivate tab, you’ll see it.
so why the sudden change on how the auth works? what happens when plex.tv goes down again? that means my family members cant login to my server by going to my subdomain.
This hasn’t changed – just like before, the client only needs to talk to plex.tv if they are signed out. After they are signed in to your server, they won’t need to be redirected.
