SOLVED: Nextcloud 16 - How to allow iFrame usage


I needed the original patch for response.php, plus modifying /var/www/nextcloud/lib/public/AppFramework/Http/ContentSecurityPolicy.php to reflect my other server’s web address like so:

protected $allowedFrameDomains = [
/** @var array Domains which can embed this Nextcloud instance /
protected $allowedFrameAncestors = [

And response.php is modified to look like:

header(‘X-Frame-Options: allow-from https://*’); // Disallow iFraming from other domains

I use a server app called Organizr to have a handy dashboard for all my internally hosted applications, and it uses iFrames to provide access to the shortcut of the server without leaving the Organizr page. It’s very handy for quickly navigating across many services within a single webpage.

On Nextcloud 15.x, I was able to allow Nextcloud to be iFramed by commenting out:

//header('X-Frame-Options: SAMEORIGIN');

in /var/www/nextcloud/lib/private/legacy/response.php. I understand that this is normally a security risk, but I’m the only one using my Nextcloud instance at home.

Since upgrading to 16.0, this tactic no longer works. Nextcloud reports the code change as a security vulnerability, so it is being picked up, but iFraming is still blocked with a report of “Blocked by Content Security Policy”. I haven’t modified the reverse proxy or the web server that provides Nextcloud … the only change was upgrading to Nextcloud 16.0, which makes me think there’s another file or section that I need to modify. The developer console in Chrome states:

Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive

But I can’t find that option in the PHP files for Nextcloud.

Can anyone help me find how to allow iFrames for Nextcloud 16.0?

Nginx reverse proxy (1.14)
Nginx web server for Nextcloud (1.14)
Nextcloud 16.0
Ubuntu 18.04


Same here.

1 Like

Thank you this solved my problem in Nextcloud 16!

I have since updated to Nextcloud 17 and have found the same problem.

Note: config/ is used, interchangeably, instead of var/ as my nextcloud installation is inside a docker container.

In Nextcloud 17 config/www/nextcloud/lib/private/legacy/response.php is instead used for sending fallback headers for installations that don’t have the possibility to send custom headers on the webserver side. This means it no longer needs to be edited to allow iFrame usage.

After updating to Nextcloud 17, response.php and ContentSecurityPolicy.php were restored to normal.

To allow iFrame usage you no longer need to edit response.php.

I needed to edit ContentSecurityPolicy.php as you had shown and config/nginx/site-confs/default.

The changes made to config/www/nextcloud/lib/public/AppFramework/Http/ContentSecurityPolicy.php were:

    /** @var array Domains from which iframes can be loaded */
    protected $allowedFrameDomains = [
    protected $allowedFrameAncestors = [

The changes made to config/nginx/site-confs/default were:

add_header X-Frame-Options "allow-from https://*.domain.tld" always;

I hope this helps you.

There is currently a pull request to reflect these changes in the releases notes,

Thanks for your help :wink:

But I think the X-Frame-Options header is not necessary, and obsolete:

Thanks too! this solved my problem to embedded nc calendar into a iframe on my website.

How about Nextcloud 18?

I try applying the changes in legacy, .htaccess, ContentSecurityPolicy.php, all dont work. Finally I change in apache httpd.conf, add this

Header set Content-Security-Policy “frame-ancestors ‘self’ *.mydomain.etc;”

It works for me now. More details are here

Can you confirm if this works with Version 18?

Many Thanks,

How do i do this for Nextcloud 19? I could not find the file config/www/nextcloud/lib/public/AppFramework/Http/ContentSecurityPolicy.php

Have a look at this blog article, it describes how to do it in Nextcloud 19.

Thank you for the link to the blog.

After making the changes, I am now able to embed Calender.

However, I still cannot embed onlyoffice doc/xls.


I have no domain (iframe on localhost)
In my NC 19.0.3 i found this file, but not the line:
header(‘X-Frame-Options: SAMEORIGIN’);

In the .htaccess i comment out the whole block “# Add security and privacy related headers”,
but still no cloud in my iframe.

How about Netcloud 20?
It does not work !

For NextCloud 21, modify values in:


in the buildPolicy function by changing the section under allowedFrameDomains (line 499) to:

“frame-src https://*”

and in the section allowedFrameAncestors (line 509) to:

“frame-ancestors https://*”

Also still comment out the “X-Frame-Options: SAMEORIGIIN” line in /lib/private/legacy/OC_Response.php to ensure values from the Content-Security-Policy header govern X-Frame rules instead.

and how about NextCloud 22, anyone got it working? cheers!

Also not working for me with NextCloud 24. Any ideas?

…and with NextCloud 25?

I do not use it and i am not a programmer. But because of this blog article (see post from Sep. 20) i found in GitHub four code segments. Because a user account i needed i post here the filename and function.

public function getAllowedFrameAncestors(): array {

→ i think not relevant

protected $allowedFrameAncestors = null;

→ maybe relevant, but i think not

protected $allowedFrameAncestors = [];

→ Maybe or Maybe not, see blog article

protected $allowedFrameAncestors = [

i think relevant, same as link above

Read again this blog article, find the position and test to change it.
Post if it also works with Nextcloud 25. Thank you.