Embed a form with iFrame

[/details]
Nextcloud version : 20.0.4
Operating system and version: debian 10
Apache or nginx version: nginx 1.14.2
PHP version (eg, 7.4): 7.3

The issue you are facing:
i Cant embed a nextcloud form into my blog using an iFrame.

Is this the first time you’ve seen this error? (Y/N):
No

Steps to replicate it:

  1. Try to embed a form with iFrame
  2. see error 'Firefox Can’t Open This Page, To protect your security, cloud.nextcloud.url will not allow Firefox to display the page if another site has embedded it. To see this page, you need to open it in a new window.
  3. try to change /lib/public/AppFramework/Http/ContentSecurityPolicy.php or nextcloud/lib/private/legacy/OC_Response.php as recomended in Nextcloud 19 server: Allow iframe / embedding from external domains
  4. restart server
  5. nothing changes.

The output of your nextcloud/lib/private/legacy/OC_Response.php

                // Send fallback headers for installations that don't have the possibility to send
                // custom headers on the webserver side
                if (getenv('modHeadersAvailable') !== 'true') {
                        header('Referrer-Policy: no-referrer'); // https://www.w3.org/TR/referrer-policy/
                        header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
                        header('X-Download-Options: noopen'); // https://msdn.microsoft.com/en-us/library/jj542450(v=vs.8$
                        // header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
                        header('X-Frame-Options: ALLOW-FROM https://blog.url');
                        header('X-Content-Security-Policy: frame-ancestors https://*.blog.url');
                        header('Content-Security-Policy: frame-ancestors https://*.blog.url');
                        header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-se$
                        header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/doc$
                        header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
  

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'passwordsalt' => 'HERPADERPDERP',
  'secret' => 'BLERP',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'https://cloud.nextcloud.url',
    2 => 'https://blog.url',
  ),
  'datadirectory' => '/home/yunohost.app/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '20.0.4.0',
  'overwrite.cli.url' => 'https://cloud.nextcloud.url',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'HERPADERPDERP',
  'installed' => true,
  'instanceid' => 'HERPADERPDERP',
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'updatechecker' => false,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'integrity.check.disabled' => true,
  'filelocking.enabled' => true,
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'simpleSignUpLink.shown' => false,
  'redis' => 
  array (
    'host' => 'localhost',
    'port' => '6379',
    'timeout' => '0.0',
    'password' => '',
  ),
  'hashing_default_password' => true,
  'logout_url' => '',
  'app_install_overwrite' => 
  array (
    0 => 'ownpad',

This is planned, but not implemented yet.
See Ability to embed form into website · Issue #324 · nextcloud/forms · GitHub

Greets! :wink:
Jonas

Okay, thanks. Will track that ticket.

hello

Soft alternative :

edit /etc/apache2/conf-enabled/security.conf ( or .htaccess if you can’t modify this file )

add this lines :

Header always set Access-Control-Allow-Origin “*”
Header always set X-Frame-Options: “ALLOW-FROM *”
Header always set X-Content-Security-Policy: “frame-ancestors *”
Header always set Content-Security-Policy: “frame-ancestors *”

and reload :
apache2 -tS && apache2ctl restart

Works fine with nextcloud 23 on debian 11

The “always” keywords overwrite the nextcloud core php headers() calls

( you can change “*” for your target hostname for security reason )

Best regards.