Login flow with web app


I am trying to integrate our web app with Nextcloud. I am not having any luck opening a window / webview to /index.php/login/flow setting the OCS-APIRequest and User-Agent headers.

Chrome’s CORB (Cross-Origin Read Blocking) prevents any content being displayed. Chrome also prevents the User-Agent header being set if trying to make a jQuery $.ajax request. Similarly try to set it directly through XMLHttp​Request​.set​Request​Header() is also blocked.

I’ve tried using an iframe with the Request interface of the Fetch API and populating the iframe src from blob with URL.create​ObjectURL(). But this just causes an empty ‘unknown’ file download in Firefox and is blocked (CORB) in Chrome.

Authorising a web app to access Nextcloud shouldn’t be this hard should it? Am I going about it the wrong way? Is there some other way to set the headers on the HTTP request and open a new window or display in iframe?

Here is the HTML and JS

<iframe id="RequestFetchFrame" style="width: 500px; height: 500px"></iframe>

var request = new Request("https://cloud.724.com.au/index.php/login/flow", {
    method: "GET",
    mode: "no-cors",
    headers: new Headers({
        "OCS-APIRequest": true ,
        "User-Agent": "My Web App"

.then(response => response.blob())
.then(blob => {
    document.querySelector("#RequestFetchFrame").src = URL.createObjectURL(blob);