Embedding Nextcloud in iFrame not working due to cookie handling

Laurens · July 13, 2021, 6:54pm

Support intro

Sorry to hear you’re facing problems

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can

Nextcloud version (eg, 20.0.5): 22.0.0
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04.1 LTS
Apache or nginx version (eg, Apache 2.4.25): 2.4.41
PHP version (eg, 7.4): 7.3.28

The issue you are facing:

I want to embed my nextcloud installation in a trusted iFrame on another domain of mine. While basic embedding works by editting the $allowedFrameAncestors variable in the ContentSecurityPolicy.php file, I just get a login screen presented. It does do a server request / loading icon for a bit but then just refreshes the page back to the login page. Presumably this is caused by cookies not being handled well over/within the iframe.

Most if not all hits you get searching on this are about security headers not including the domain you want to embed from. But that isn’t the issue as I get the Nextcloud login screen. I just would like to be able to actually login or use some kind of single sign on so I can for example share a Deck board.

Is this the first time you’ve seen this error? (N):

Steps to replicate it:

Embed the Nextcloud installation on domain a.com from domain b.com by a simple

<iframe width='1000' height='600' frameborder='0' src='https://a.com/index.php/s/HX3tJJm3d2yneiW'></iframe>

Make sure domain b.com is added to the $allowedFrameAncestors array in /lib/public/AppFramework/Http/ContentSecurityPolicy.php
Try to view the page (should succeed) and login using existing credentials (should fail).

The output of your Nextcloud log in Admin > Logging:

none

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'instanceid' => '518439h4893f3jf28db',
  'passwordsalt' => 'blablablablabla',
  'datadirectory' => '/yoda/cloudstore/data/',
  'dbtype' => 'mysql',
  'version' => '22.0.0.11',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => 'blablabalbalbalbla',
  'overwritewebroot' => '/',
  'installed' => true,
  'forcessl' => true,
  'maintenance' => false,
  'trashbin_retention_obligation' => 'auto,90',
  'preview_libreoffice_path' => '/usr/bin/libreoffice',
  'theme' => '',
  'default_phone_region' => 'NL',
  'has_internet_connection' => true,
  'check_for_working_webdav' => true,
  'check_for_working_htaccess' => true,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'filelocking.enabled' => true,
  'redis' =>
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 0,
    'dbindex' => 0,
  ),
  'trusted_proxies' =>
  array (
    0 => '127.0.0.1',
    1 => '::1',
    2 => '192.168.100.6',
    3 => 'a.com',
  ),
  'trusted_domains' =>
  array (
    0 => 'a.com',
    1 => 'b.com',
    2 => 'collabora.a.com',
  ),
  'mail_from_address' => 'fromMe',
  'mail_smtpmode' => 'smtp',
  'mail_domain' => 'a.com',
  'secret' => 'whowthisissecret7',
  'asset-pipeline.enabled' => true,
  'preview_max_scale_factor' => 1,
  'forceSSLforSubdomains' => true,
  'app.mail.imaplog.enabled' => true,
  'loglevel' => 2,
  'log_type' => 'file',
  'appstore.experimental.enabled' => true,
  'overwrite.cli.url' => 'https://a.com',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtphost' => 'localhost',
  'mail_smtpport' => '25',
  'data-fingerprint' => 'ncjdsncjkdsnckjndk',
  'mysql.utf8mb4' => true,
  'updater.release.channel' => 'beta',
  'twofactor_enforced' => 'false',
  'twofactor_enforced_groups' =>
  array (
  ),
  'twofactor_enforced_excluded_groups' =>
  array (
  ),
  'app_install_overwrite' =>
  array (
    0 => 'keeweb',
  ),
  'app.mail.verify-tls-peer' => false,
  'updater.secret' => 'looksSecret10183',
);

The output of your Apache/nginx/system log in /var/log/____:

can;t see any relevant logging...

utiwari18 · July 30, 2021, 8:42am

Were you able to solve this ? I am facing the same issue

Laurens · July 31, 2021, 2:21pm

Unfortunately not. I’m starting to believe that it’s not possible at the moment, but at the same time wonder about that since it feels like a regular usecase?

jacobors · August 20, 2021, 9:14am

Did you solve this? I´m facing de same issue

azmeuk · October 21, 2021, 2:30pm

For the record, I do not face this issue with a nextcloud OIDC authentication.

However, thank you for the tip with $allowedFrameAncestors. I would love it to be a regular administration option.