Embed Nextcloud: Allow custom frame-ancestors

ℹ️ Support
1

I want to embed Nextcloud within my parent website.

What I did so fare:

  1. added my domain to trusted_domains in the config.php file.
  2. added my domain to protected $allowedFrameAncestors in the ContentSecurityPolicy.php file.

Result: The Login Page is rendered inside my iframe (due to 2.), but I can not login.

The same behavior seems to be described in this post, without any solution.

On the other hand, I configured office to use my collabora instance with the subdomain collabora.mydomain.com and this context allows embedding and login.

So it should be possible to allow embedding for other domains as well. But I am stuck here. How to do it?

2

Hello @rikoentw,
welcome to the Nextcloud community :handshake:

Please edit your post and add as much information as possible so that community supporters have the necessary technical information to help you.

Regards,
rakekniven

3

Not sure what to add. It seems there is no public documentation on embedding Nextcloud on other websites. It’s a gerneral challenge and not particluar to my setup, I think.

I run nextcloud v32 with nginx on my server.

I discovered, I can embed Nextcloud on a different subdomain (with same domain), when I add the subdomain to $allowedFrameAncestors in the ContentSecurityPolicy.php config (Although this might not be the way to do it properly).

Rephrasing my question:
How to configure nextclouds content security policy so that it allows me to use nextcloud in the context of another app?

Documentation in ContentSecurityPolicy.php:

/\*\* @var array Domains which can embed this Nextcloud instance \*/
protected $allowedFrameAncestors = null;

So why can’t I just add arbitrary domains to allow embedding?

Ther also seems to be a StrictContentSecurityPolicy.php file. But since changes in the other file take effect, I would assume it’s not relevant.

In the config.sample.php I find following:

 * Your list of trusted domains that users can log into. Specifying trusted
 * domains prevents host header poisoning. Do not remove this, as it performs
 * necessary security checks.
 * You can specify:
 *
 * - The exact hostname of your host or virtual host, e.g., demo.example.org.
 * - The exact hostname with permitted port, e.g., demo.example.org:443.
 *   This disallows all other ports on this host
 * - Use * as a wildcard, e.g., ubos-raspberry-pi*.local will allow
 *   ubos-raspberry-pi.local and ubos-raspberry-pi-2.local
 * - The IP address with or without permitted port, e.g., [2001:db8::1]:8080
 *   Using TLS certificates where commonName=<IP address> is deprecated
 */
'trusted_domains' => [
        'demo.example.org',
        'otherdomain.example.org',
        '10.111.112.113',
        '[2001:db8::1]'
],

That also looks relevant for login.

I also tried to update the nginx config: /etc/nginx/sites-available/nextcloud.conf

# === WOPI Allow ===
    location ^~ /index.php/apps/richdocuments/wopi/ {
        add_header Access-Control-Allow-Origin "https://myFirstDomain.com https://myOtherDomain.com" always;
        add_header Access-Control-Allow-Methods "GET, OPTIONS, POST, PUT, DELETE" always;
        add_header Access-Control-Allow-Headers "Authorization, Content-Type, Depth, User-Agent, X-Requested-With, X-File-Name, Cache-Control" always;
        add_header X-Frame-Options "ALLOW-FROM https://myFirstDomain.com ALLOW-FROM https://myOtherDomain.com" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "no-referrer" always;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        fastcgi_param front_controller_active true;

        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

But this does not seem to have any effect.