Setting security policy for an editor

I am trying to resurrect the DrawIO file editor for nextcloud. I am stuck trying to hook into their online editor at If I have a standalone page it looks like I can just create an iframe, set the CSP and then set the source to My issue is that I am trying to do this from the “files” view and have it pop up a new iframewith the editor in the “app-content” div. In firefox I keep getting an error: “Content Security Policy: The page’s settings blocked the loading of a resource at (“frame-src http://nc.local:8000”).” Any clues about how to get around this? My current code is at

Take a look at

I think my problem is that I do not really have a controller. I am hooking into the files menu and using webdav to access the files. In the mean time I switched from an iframe to a new window. Now this gets me to the editor, but now when I try to use xmlhttprequest to post the data to the webdav interface I see this error from saberdav:

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="">
  <s:message>CSRF check not passed.</s:message>

So I am closer, but I still think I need to hook into the CSP. Right?

No, you need to send the CSRF token (head data-requesttoken=“token”)

Oh, okay… now the question is where do I get such a thing?

read my post

i apologize for being thick here, but I didn’t understand your comment. Is this something I need to put in the php? Or can I do this in the Javascript. So far I have gotten away with only an app.php that injects my javascript. My question was more concisely how do I create and track the request token. Thanks!

JavaScript. You need to parse the token from the HTML head element and send it as HTTP header (requesttoken)

Okay, now I understand. That fixed it! Thanks!