SOLUTION:
I needed the original patch for response.php, plus modifying /var/www/nextcloud/lib/public/AppFramework/Http/ContentSecurityPolicy.php to reflect my other server’s web address like so:
protected $allowedFrameDomains = [
’https://*.klein.us’,
];
/** @var array Domains which can embed this Nextcloud instance /
protected $allowedFrameAncestors = [
‘‘self’’,
'https://.klein.us’,
]
And response.php is modified to look like:
header(‘X-Frame-Options: allow-from https://*.klein.us’); // Disallow iFraming from other domains
I use a server app called Organizr to have a handy dashboard for all my internally hosted applications, and it uses iFrames to provide access to the shortcut of the server without leaving the Organizr page. It’s very handy for quickly navigating across many services within a single webpage.
On Nextcloud 15.x, I was able to allow Nextcloud to be iFramed by commenting out:
//header('X-Frame-Options: SAMEORIGIN');
in /var/www/nextcloud/lib/private/legacy/response.php. I understand that this is normally a security risk, but I’m the only one using my Nextcloud instance at home.
Since upgrading to 16.0, this tactic no longer works. Nextcloud reports the code change as a security vulnerability, so it is being picked up, but iFraming is still blocked with a report of “Blocked by Content Security Policy”. I haven’t modified the reverse proxy or the web server that provides Nextcloud … the only change was upgrading to Nextcloud 16.0, which makes me think there’s another file or section that I need to modify. The developer console in Chrome states:
Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive
But I can’t find that option in the PHP files for Nextcloud.
Can anyone help me find how to allow iFrames for Nextcloud 16.0?
System:
Nginx reverse proxy (1.14)
Nginx web server for Nextcloud (1.14)
Nextcloud 16.0
Ubuntu 18.04