Nextcloud 14 iframe embed problem...doesn't work in Edge + Chrome + Safari :)


We strongly need to embed NextCloud 14 (ubuntu & apache) in an IFrame inside another WebSite. We have commented the line header (‘X-Frame-Options: SAMEORIGIN’) in /lib/private/legacy/response.php since we don’t need this kind of protection at all! But in Chrome and Safari we got an error “too many redirect…”

Is there a way to solve it? It seems to be problem witch cookies but still don’t know how to avoid it :frowning:


The X-Frame-Options are deprecated and used by old browsers only, AFAIK. For more modern browsers you want to have a look at the CSP rules for frame-*** as well.
I believe you need to modify this file:

At least that’s the file I edited in the past to fix some CSP issues regarding frame-ancestors which wasn’t working yet in NC out of the box.
I suggest to check your CSP settings after each change with

1 Like

Thanks! As I can see there is iFrame policy in the file, but I don’t understand how to allow iframe embed!
Can you suggest an idea please?!

 * Domains which can embed an iFrame of the Nextcloud instance
 * @param string $domain
 * @return $this
 * @since 13.0.0
public function addAllowedFrameAncestorDomain($domain) {
	$this->allowedFrameAncestors[] = $domain;
	return $this;

I have to point out again, that changes in the code are not really advised and that these changes are overwritten with every NC update.
If you know what you’re doing, have a backup of the file and want to try it out, here is what you can do.

Open /var/www/nextcloud/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php and go to the function “buildPolicy” and append the desired CSP strings. I added some more rules; frame-src for example:

    public function buildPolicy() {
            $policy = "default-src 'none';";
            $policy .= "base-uri 'none';";
            $policy .= "manifest-src 'self';";
            $policy .= "form-action 'self';";
            $policy .= "worker-src 'self';";
            $policy .= "frame-src 'self' https://the.other-server.tld;";

I hope you can understand from that code, how it’s working.

1 Like

On Nextcloud 14.0.3 trouble with iframe

Hello. I’ve the same trouble. I want to embed a calendar in an iframe on another domain and i’ve the error message “La page n’est pas dirigée correctement”

You can test it on
I’ve modified the EmptyContentSecurityPolicy.php like this:

> class EmptyContentSecurityPolicy {
>         /** @var bool Whether inline JS snippets are allowed */
>         protected $inlineScriptAllowed = null;
>         /** @var string Whether JS nonces should be used */
>         protected $useJsNonce = null;
>         /**
>          * @var bool Whether eval in JS scripts is allowed
>          * TODO: Disallow per default
>          * @link
>          */
>         protected $evalScriptAllowed = null;
>         /** @var array Domains from which scripts can get loaded */
>         protected $allowedScriptDomains = null;
>         /**
>          * @var bool Whether inline CSS is allowed
>          * TODO: Disallow per default
>          * @link
>          */
>         protected $inlineStyleAllowed = null;
>         /** @var array Domains from which CSS can get loaded */
>         protected $allowedStyleDomains = null;
>         /** @var array Domains from which images can get loaded */
>         protected $allowedImageDomains = null;
>         /** @var array Domains to which connections can be done */
>         protected $allowedConnectDomains = null;
>         /** @var array Domains from which media elements can be loaded */
>         protected $allowedMediaDomains = null;
>         /** @var array Domains from which object elements can be loaded */
>         protected $allowedObjectDomains = null;
>         /** @var array Domains from which iframes can be loaded */
>         protected $allowedFrameDomains =  ['',''];
>         /** @var array Domains from which fonts can be loaded */
>         protected $allowedFontDomains = null;
>         /** @var array Domains from which web-workers and nested browsing content can load elements */
>         protected $allowedChildSrcDomains = null;
>         /** @var array Domains which can embed this Nextcloud instance */
>         protected $allowedFrameAncestors = ['',''];
>         /**
>          * Whether inline JavaScript snippets are allowed or forbidden
>          * @param bool $state
>          * @return $this
>          * @since 8.1.0
>          * @deprecated 10.0 CSP tokens are now used
>          */

It does not change anything. Could you hlep me. Thanks

I was having the same problem with 15.04. Here’s how I solved it.

I believe that the redirecting issue was caused by cookies not being set in the iframe because it was requesting data from a different domain. Hands up, this was my fault for not realising this restriction existed and it makes sense. Putting Nextcloud on a subdomain of where the iframe originates fixed that issue. Eg, If the iframe is on then putting Nextcloud on works. Unfortunately this then led to a blank page.

This blank page didn’t give any error messages either in the network log or console but I believed this was either due due to the CSP or X-Frame-Options.

Editing lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php to update the CSP policy to add frame-src and adding the necessary array to $allowedFrameAncestors didn’t work.
Editing lib/private/legacy/response.php addSecurityHeaders() DID work but as pointed out is bad.
Editing .htaccess to include Header set X-Frame-Options "allow-from protocol://fqdn" underneath #Add security and privacy related headers DID work but is also a bit… dunno, hacky? Ultimately this is the option I went for.

In any case, a combination of sub-domains and X-Frame-Options did the trick for me. Hopefully a combination of these things will help…

I finally got this working in my environment.

I am hosting a site in which I use Nextcloud as an interface to view files within a web site that I am hosting. I don’t there is any security issue with approach since both Nextcloud and my hosted web site (built using Wordpress) are in the same parent domain which I control.

I first followed your advice of setting up Nextcloud as a subdomain of the domain I am hosting my website on.

Once I did this, I had to make the following changes to the code:

  1. In file: …/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php

< protected $allowedFrameAncestors = null;

protected $allowedFrameAncestors = [
  1. In file: …/lib/public/AppFramework/Http/ContentSecurityPolicy.php

< ‘‘self’’,


It would be nice if we could perform this type of configuration with configuration files instead of hacking code…

As modifying the code has the drawbacks pointed out by @Schmu, this could instead really be a useful option… “Allow embedding calendar in other sites”