Embedded stream-iframe with no surveillance password set should not ask for a password

deekerman commented

2026-02-28 01:10:19 -05:00

Owner

Originally created by @seb2010 on GitHub (Jan 14, 2023).

I do have setup multiple cameras and need to show the stream-iframe in a html-dashboard in the event of (external mesaured) motion.
Before I updated to the current version

motionEye Version | 0.43.0
Motion Version | 4.4.0
OS Version | Raspbian 11

(I am not sure what the old version was) I was able to access the iframe in the dashboard without beeing asked for a username/password via div-popup.

Now, after the update, I am asked for username/password every time I open the iframe, although no surveillance password is set/needed. Just clicking "Login" does the Job.
This is very much annoying and prohibits the use-case of just using the stream from motion/-eye to show on a html-dashboard. There cannot be any user interaction.
The "current-snapshot" does not work, as the frame script is the only way to show a video-like stream. Image refreshing comes with slower rendering times somehow.

As I specifically do want unauthorized surveillance access, there is no need to display the popup. If this is due to the fact, that you like to be able to login with admin credentials to then configure within the iframe, a login icon for this would be better in that regard.

So the solution from my point of view would be:

check if surveillance password is set. if not, show no div-popup for login in the iframe!

KR, SEB

Originally created by @seb2010 on GitHub (Jan 14, 2023). I do have setup multiple cameras and need to show the stream-iframe in a html-dashboard in the event of (external mesaured) motion. Before I updated to the current version ``` motionEye Version | 0.43.0 Motion Version | 4.4.0 OS Version | Raspbian 11 ``` (I am not sure what the old version was) I was able to access the iframe in the dashboard without beeing asked for a username/password via div-popup. Now, after the update, I am asked for username/password every time I open the iframe, although no surveillance password is set/needed. Just clicking "Login" does the Job. This is very much annoying and prohibits the use-case of just using the stream from motion/-eye to show on a html-dashboard. There cannot be any user interaction. The "current-snapshot" does not work, as the frame script is the only way to show a video-like stream. Image refreshing comes with slower rendering times somehow. As I specifically do want unauthorized surveillance access, there is no need to display the popup. If this is due to the fact, that you like to be able to login with admin credentials to then configure within the iframe, a login icon for this would be better in that regard. So the solution from my point of view would be: - check if surveillance password is set. if not, show no div-popup for login in the iframe! KR, SEB

deekerman added the

feature

security

labels

2026-02-28 01:10:19 -05:00

deekerman commented

2026-02-28 01:10:21 -05:00

Author

Owner

@seb2010 commented on GitHub (Jan 28, 2023):

For anyone eager to solve this issue but does not want to wait for a reaction here:
you need to alter the main.html template of motioneye, which is used to create the html-frame-page. On my dist this was found here: /usr/local/lib/python3.9/dist-packages/motioneye/templates/main.html

At the bottom of the template, you will find the definition of two DIV-containers "modal-glass" and "modal-container", which will show the login-screen on page load. You can selectively disable this for the frame by adding this line above the DIV-definition:
{% if not frame %} and {% endif %} below these two. Save the file and the login-popup will not show.

@seb2010 commented on GitHub (Jan 28, 2023): For anyone eager to solve this issue but does not want to wait for a reaction here: you need to alter the main.html template of motioneye, which is used to create the html-frame-page. On my dist this was found here: /usr/local/lib/python3.9/dist-packages/motioneye/templates/main.html At the bottom of the template, you will find the definition of two DIV-containers "modal-glass" and "modal-container", which will show the login-screen on page load. You can selectively disable this for the frame by adding this line above the DIV-definition: `{% if not frame %}` and `{% endif %}` below these two. Save the file and the login-popup will not show.

deekerman commented

2026-02-28 01:10:21 -05:00

Author

Owner

@MichaIng commented on GitHub (Jan 28, 2023):

Many thanks for reporting. Also no password in a way is a password, at least the username needs to be entered correctly, and you need to explicitly leave the password field empty.

We need to check how this was done on v0.42.x, whether it was intended, and whether the changed behaviour was intended. But yeah, as long as there is no option to explicitly allow a camera to be viewed without login, it is probably best to use an empty surveillance user password as indicator that this is wanted.

Btw, isn't it possible/better to frame the motion stream directly, instead of the motionEye UI?

@MichaIng commented on GitHub (Jan 28, 2023): Many thanks for reporting. Also no password in a way is a password, at least the username needs to be entered correctly, and you need to explicitly leave the password field empty. We need to check how this was done on v0.42.x, whether it was intended, and whether the changed behaviour was intended. But yeah, as long as there is no option to explicitly allow a camera to be viewed without login, it is probably best to use an empty surveillance user password as indicator that this is wanted. Btw, isn't it possible/better to frame the motion stream directly, instead of the motionEye UI?

deekerman commented

2026-02-28 01:10:21 -05:00

Author

Owner

@seb2010 commented on GitHub (Jan 28, 2023):

Yes, somewhat true what you are saying. But let's be honest, just by overlaying a div above the still viewable content does not provide any security at all.

And please keep in mind, that motioneye is one of the options for rtsp camera owners to convert to mjpeg streams. So the ONLY use case for some might be just to access the plain stream. And since this is used to be displayed in smart home frontends, the options for NO authentication whatsoever needs to be available.

I actually use the frame, because it somehow is able to display the jog sequence more smoothly than a page with frequent refreshes.

@seb2010 commented on GitHub (Jan 28, 2023): Yes, somewhat true what you are saying. But let's be honest, just by overlaying a div above the still viewable content does not provide any security at all. And please keep in mind, that motioneye is one of the options for rtsp camera owners to convert to mjpeg streams. So the ONLY use case for some might be just to access the plain stream. And since this is used to be displayed in smart home frontends, the options for NO authentication whatsoever needs to be available. I actually use the frame, because it somehow is able to display the jog sequence more smoothly than a page with frequent refreshes.

deekerman commented

2026-02-28 01:10:21 -05:00

Author

Owner

@MichaIng commented on GitHub (Jan 28, 2023):

But let's be honest, just by overlaying a div above the still viewable content does not provide any security at all.

That is true indeed 😄. I wonder whether the stream is also shown (below the div) if an actual password is applied, or whether this is indeed depending on empty vs non-empty password. Makes of course sense to align both.

@MichaIng commented on GitHub (Jan 28, 2023): > But let's be honest, just by overlaying a div above the still viewable content does not provide any security at all. That is true indeed 😄. I wonder whether the stream is also shown (below the div) if an actual password is applied, or whether this is indeed depending on empty vs non-empty password. Makes of course sense to align both.

deekerman commented

2026-02-28 01:10:21 -05:00

Author

Owner

@seb2010 commented on GitHub (Jan 28, 2023):

Yes, the stream is playing while the div is active. I just found the solution by playing around with Chrome Dev-Tools and just deleted the div. Below this, everything works as desired and prior to entering the pwd.

@seb2010 commented on GitHub (Jan 28, 2023): Yes, the stream is playing while the div is active. I just found the solution by playing around with Chrome Dev-Tools and just deleted the div. Below this, everything works as desired and prior to entering the pwd.

deekerman commented

2026-02-28 01:10:21 -05:00

Author

Owner

@schnudd31do3 commented on GitHub (Sep 2, 2024):

Hi seb2010, you saved my life :-;
In the current version they have added one more DIV container. So currently you have to wrap all three DIV containers: "modal-glass", "modal-container" and "popup-message-container".

If they would not realize this feature, I alternatively suggest creating the option for own templates so that every update of motioneye does not overwrite the changes in the modified main.html.

@schnudd31do3 commented on GitHub (Sep 2, 2024): Hi [seb2010](https://github.com/seb2010), you saved my life :-; In the current version they have added one more DIV container. So currently you have to wrap all three DIV containers: "modal-glass", "modal-container" and "popup-message-container". If they would not realize this feature, I alternatively suggest creating the option for own templates so that every update of motioneye does not overwrite the changes in the modified main.html.

deekerman commented

2026-02-28 01:10:21 -05:00

Author

Owner

@Demetriao commented on GitHub (Apr 6, 2025):

I did some testing and this can easily be fixed with this change:
github.com/motioneye-project/motioneye@f6c9a2f0cf/motioneye/static/js/main.js (L5484)

to:

 if(isAuthCookiesSet() || frame) {

If you want to try this use this command:

sudo sed -E -i 's/^[[:space:]]*if\(isAuthCookiesSet\(\)\) \{/    if(isAuthCookiesSet() || frame) {/' /usr/local/lib/python3*/dist-packages/motioneye/static/js/main.js`

You may need to adjust the path..

@Demetriao commented on GitHub (Apr 6, 2025): I did some testing and this can easily be fixed with this change: https://github.com/motioneye-project/motioneye/blob/f6c9a2f0cf1e482955eb53faccb91cbcf8490f8f/motioneye/static/js/main.js#L5484 to: ``` if(isAuthCookiesSet() || frame) { ``` If you want to try this use this command: ``` sudo sed -E -i 's/^[[:space:]]*if\(isAuthCookiesSet\(\)\) \{/ if(isAuthCookiesSet() || frame) {/' /usr/local/lib/python3*/dist-packages/motioneye/static/js/main.js` ``` You may need to adjust the path..

deekerman commented

2026-02-28 01:10:21 -05:00

Author

Owner

@holdit commented on GitHub (Apr 7, 2025):

Was having this issue after reinstalling MotionEye (was running an older version before) and @Demetriao change above seems to work well.

@holdit commented on GitHub (Apr 7, 2025): Was having this issue after reinstalling MotionEye (was running an older version before) and @Demetriao change above seems to work well.

deekerman commented

2026-02-28 01:10:21 -05:00

Author

Owner

@holdit commented on GitHub (May 5, 2025):

Just to add to my previous comment, @Demetriao's fix has been working fine with the direct link to the feed (:8765/picture/1/frame/ in my case).

However, the page where we can review saved videos, pictures, etc, still shows the login form even when we don't have a login. We just have to click on "login" and it goes away, but still, I believe before you'd go directly to the view with the camera.

The right thing to do would be to have a login, but this is only available on a local network and it's for my parents, so I have to keep it simple.

@holdit commented on GitHub (May 5, 2025): Just to add to my previous comment, @Demetriao's fix has been working fine with the direct link to the feed (`:8765/picture/1/frame/` in my case). However, the page where we can review saved videos, pictures, etc, still shows the login form even when we don't have a login. We just have to click on "login" and it goes away, but still, I believe before you'd go directly to the view with the camera. ![Image](https://github.com/user-attachments/assets/e51b10e1-303e-4bf9-ad10-c3bbfc9a971f) The right thing to do would be to have a login, but this is only available on a local network and it's for my parents, so I have to keep it simple.

deekerman commented

2026-02-28 01:10:21 -05:00

Author

Owner

@Demetriao commented on GitHub (May 6, 2025):

@holdit
Do you mean the main page at {ip_address}:8765?

With the current code, this isn’t possible, because once the login dialog is hidden, it's no longer possible to switch users.
As mentioned in a previous comment, a separate button would be needed for that.
However, since user interaction is more likely on this page, enabling the "Remember me" option in the login dialog might be a simple solution.

The fix I provided above restores the behavior to how it worked in MotionEye version 0.42.

@Demetriao commented on GitHub (May 6, 2025): @holdit Do you mean the main page at {ip_address}:8765? With the current code, this isn’t possible, because once the login dialog is hidden, it's no longer possible to switch users. As mentioned in a previous comment, a separate button would be needed for that. However, since user interaction is more likely on this page, enabling the "Remember me" option in the login dialog might be a simple solution. The fix I provided above restores the behavior to how it worked in MotionEye version 0.42.

deekerman commented

2026-02-28 01:10:21 -05:00

Author

Owner

@holdit commented on GitHub (May 9, 2025):

@Demetriao Yes, that page. I think at some point we wouldn't see that login dialog if there was no password... but I'm working from memory and might be wrong.

It's not a big deal, but I mentioned it in case it's not supposed to appear when we don't have a password.

@holdit commented on GitHub (May 9, 2025): @Demetriao Yes, that page. I think at some point we wouldn't see that login dialog if there was no password... but I'm working from memory and might be wrong. It's not a big deal, but I mentioned it in case it's not supposed to appear when we don't have a password.

Rows
Columns

Embedded stream-iframe with no surveillance password set should not ask for a password #2353