We strongly need to embed NextCloud 14 (ubuntu & apache) in an IFrame inside another WebSite. We have commented the line header (‘X-Frame-Options: SAMEORIGIN’) in /lib/private/legacy/response.php since we don’t need this kind of protection at all! But in Chrome and Safari we got an error “too many redirect…”
Is there a way to solve it? It seems to be problem witch cookies but still don’t know how to avoid it
The X-Frame-Options are deprecated and used by old browsers only, AFAIK. For more modern browsers you want to have a look at the CSP rules for frame-*** as well.
I believe you need to modify this file: /var/www/nextcloud/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
At least that’s the file I edited in the past to fix some CSP issues regarding frame-ancestors which wasn’t working yet in NC out of the box.
I suggest to check your CSP settings after each change with
Thanks! As I can see there is iFrame policy in the file, but I don’t understand how to allow iframe embed!
Can you suggest an idea please?!
/**
* Domains which can embed an iFrame of the Nextcloud instance
*
* @param string $domain
* @return $this
* @since 13.0.0
*/
public function addAllowedFrameAncestorDomain($domain) {
$this->allowedFrameAncestors[] = $domain;
return $this;
I have to point out again, that changes in the code are not really advised and that these changes are overwritten with every NC update.
If you know what you’re doing, have a backup of the file and want to try it out, here is what you can do.
Open /var/www/nextcloud/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php and go to the function “buildPolicy” and append the desired CSP strings. I added some more rules; frame-src for example:
Hello. I’ve the same trouble. I want to embed a calendar in an iframe on another domain and i’ve the error message “La page n’est pas dirigée correctement”
I was having the same problem with 15.04. Here’s how I solved it.
I believe that the redirecting issue was caused by cookies not being set in the iframe because it was requesting data from a different domain. Hands up, this was my fault for not realising this restriction existed and it makes sense. Putting Nextcloud on a subdomain of where the iframe originates fixed that issue. Eg, If the iframe is on www.example.com then putting Nextcloud on office.example.com works. Unfortunately this then led to a blank page.
This blank page didn’t give any error messages either in the network log or console but I believed this was either due due to the CSP or X-Frame-Options.
Editing lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php to update the CSP policy to add frame-src and adding the necessary array to $allowedFrameAncestors didn’t work.
Editing lib/private/legacy/response.php addSecurityHeaders() DID work but as pointed out is bad.
Editing .htaccess to include Header set X-Frame-Options "allow-from protocol://fqdn" underneath #Add security and privacy related headers DID work but is also a bit… dunno, hacky? Ultimately this is the option I went for.
In any case, a combination of sub-domains and X-Frame-Options did the trick for me. Hopefully a combination of these things will help…
I am hosting a site in which I use Nextcloud as an interface to view files within a web site that I am hosting. I don’t there is any security issue with approach since both Nextcloud and my hosted web site (built using Wordpress) are in the same parent domain which I control.
I first followed your advice of setting up Nextcloud as a subdomain of the domain I am hosting my website on.
Once I did this, I had to make the following changes to the code:
In file: …/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php