SAMEORIGIN header and embedding public calendar from nextcloud in website

It is great that NextCloud 11 finally has the public calendar sharing functionality enabled!

So as soon as I upgraded, I went on to embed our public calendar into our public event page as an iframe only to find that it is not rendered if the web server send the SAMEORIGIN security header, which I have enabled as nextcloud recommends.
Our Nextcloud instance has a separate subdomain. Therefore the SAMEORIGIN restriction seems to apply. Is there a way deal with this situation other than to remove the security header? Either to add an exception for the location /apps/calendar/public/ in the nginx server config (if thatโ€™s possible) or, which would be the more elegant way, to make our main domain and our nextcloud subdomain play nicely together by making it clear that they can be considered (by the browser?!) as the same domain?

@LukasReschke
@MorrisJobke

Would that be a potential use case for user-content (or calender/sharing-content) subdomain?

@LukasReschke Why does the public link page does not work? There should be usually nothing hidden or private, because all the authentication information is in the URL and cookies should not be a problem, right?

@LukasReschke has been looking into this yesterday and will send a pull request to the calendar :slight_smile:

1 Like

Any update into this?

I am trying to embed a public calendar link to another domain, using NC. 14.0.6 .
I still get
Refused to display 'https://XXX/index.php/apps/calendar/embed/3RQALNLiTfF7GHTe' in a frame because it set multiple 'X-Frame-Options' headers with conflicting values ('ALLOW, SAMEORIGIN'). Falling back to 'deny'

Isnโ€™t there any way to embed the calendar on a different domain currently?

It seems the actual culprit is Content-Security-Policy, because Nextcloud seems to set its own strict values for that header. I tried to manually set a value for that header in the NGINX config, but it seems that nextcloud generates code that overrides whatever I set. It seems, that therefore embedding a public calendar is therefore all but impossible.