Content-Security-Policy with NextCloud and OnlyOffice

As web navigators harden security, we have a problem since a few days. We can’t edit OnlyOffice docs from NextCloud. It seems that Http headers from Nextcloud does not load references for the OnlyOffice docserver. The navigator refuses to load non safe source document. Result is that the frame with the OnlyOffice Document is in the HTML webpage but the content not shown for security reasons.
Both our servers are behinf a reverse proxy
Internet → RP → Nextcloud server domain
Internet → RP → OnlyOffice server domain
Configuration for OnlyOffice is set on the NextCloud server with OnlyOffice server domain URL. A password is set to secure communication between both of them.
That does work for 2 years without any trouble.
I try to “hack” Content-Security-Policy" from the NGINX Reverse Proxy but that does seems to work. CSP headers does not allow loading the OnlyOffice document.
Any idea ?

1 Like