Hello
I use iframe ton embed external web interfaces into nextcloud (with the “external sites” apps), thoses interfaces are exposed with a nginx reverse proxy with a configuration that allow access only with a valid referer (my nextcloud domain).
Everything work as expected with desktop client (chrome/firefox/edge), but the android application didn’t send a referer (well “-” in fact).
[12/Nov/2020:22:32:51 +0100] "GET /netdata HTTP/2.0" 403 162 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.13.1"
[12/Nov/2020:22:34:32 +0100] "GET /netdata HTTP/2.0" 403 162 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.13.1"
[12/Nov/2020:22:41:21 +0100] "GET /netdata HTTP/2.0" 403 162 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.13.1"
[12/Nov/2020:22:41:37 +0100] "GET /netdata HTTP/2.0" 403 162 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.13.1"
Here is my apache2 configuration to set up the referer :
ServerName my.domain.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/appsdirectory/nextcloud/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/apps/nextcloud/>
Options +FollowSymlinks
AllowOverride All
#Specific configuration
Header always set Referrer-Policy "origin"
#end of specific configuration
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/appsdirectory/nextcloud
SetEnv HTTP_HOME /var/www/appsdirectory/nextcloud
</Directory>
I try to add the following in .htacces without success :
Header onsuccess unset Referrer-Policy
Header always set Referrer-Policy "origin"
Do you have any idea ?