I am trying to resurrect the DrawIO file editor for nextcloud. I am stuck trying to hook into their online editor at draw.io. If I have a standalone page it looks like I can just create an iframe, set the CSP and then set the source to draw.io. My issue is that I am trying to do this from the “files” view and have it pop up a new iframewith the editor in the “app-content” div. In firefox I keep getting an error: “Content Security Policy: The page’s settings blocked the loading of a resource at https://draw.io/?embed=1&returnbounds=1 (“frame-src http://nc.local:8000”).” Any clues about how to get around this? My current code is at bitbucket.org/geiseri/nextcloud_drawio.
I think my problem is that I do not really have a controller. I am hooking into the files menu and using webdav to access the files. In the mean time I switched from an iframe to a new window. Now this gets me to the editor, but now when I try to use xmlhttprequest to post the data to the webdav interface I see this error from saberdav:
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
<s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
<s:message>CSRF check not passed.</s:message>
</d:error>
So I am closer, but I still think I need to hook into the CSP. Right?
No, you need to send the CSRF token (head data-requesttoken=“token”)
Oh, okay… now the question is where do I get such a thing?
read my post
i apologize for being thick here, but I didn’t understand your comment. Is this something I need to put in the php? Or can I do this in the Javascript. So far I have gotten away with only an app.php that injects my javascript. My question was more concisely how do I create and track the request token. Thanks!
JavaScript. You need to parse the token from the HTML head element and send it as HTTP header (requesttoken)
Okay, now I understand. That fixed it! Thanks!