Embedding owncloud in a iframe

DaRo · August 22, 2016, 8:28am

Issue
- I want to embed in a iframe an owncloud folder.
- Even changing the option X-Frame-Options in the htaccess file, doesn't solve the problem, keeps giving me an x-Frame-Options Sameorigin error.

Expected behaviour
After changing the option Header set X-Frame-Options to "ALLOW-FROM http://display-website.de/", still not "allowing" this domain, or not making any change at all.

Actual behaviour
I can't see the iframe in http://display-website.de/, throws me an error:
Refused to display 'https://media.display-website.de/index.php/apps/files/' in a frame because it set 'X-Frame-Options' to 'Sameorigin'.

Server configuration
Operating system: N/A
Web server: Apache (Version N/A)
Database: MYSQL
PHP version: 7.0 (CGI)
ownCloud version: ownCloud 9.1.0 (stable)
Updated from an older ownCloud or fresh install: fresh install
ownCloud log: this error it's not displaying in the log

Special configuration (external storage, external authentication, reverse proxy, server-side-encryption): server-side encription

Integrity status for oC9+

Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.
Results
=======
- core
	- INVALID_HASH
		- .htaccess
Raw output
==========
Array
(
    [core] => Array
        (
            [INVALID_HASH] => Array
                (
                    [.htaccess] => Array
                        (
                            [expected] => ab5f4c44ba2f9c66f2ed25c3ad3d84660b2808cca11ffa8fe2778a648a054d8ada495a0bf4715dc873aac1efe8dfd92a72f9a24441d8f5240834e639325fd892
                            [current] => 5b86ad1ddee7a09ab9d7e52ef8f00e67d563fb1e55121e7538f9be80baa1cb8fa43f2e62707502627b1816c3aaf0866194c97a6c5500903535b05b28cf85a7b7
                        )
                )

    )
)

Thanks to everybody that readed til here

anon30676603 · August 20, 2016, 10:06pm

You can search through the code of oC for that "same origin" thingy. I think that will be set somewhere in the code by default.

DaRo · August 22, 2016, 8:15am

Did it already... same result... there it's something that i'm missing

anon30676603 · August 22, 2016, 8:55am

See:

github.com

owncloud/core/blob/v9.1.0/lib/private/legacy/response.php#L262


			. 'font-src \'self\' data:; '
			. 'media-src *; ' 
			. 'connect-src *';
		header('Content-Security-Policy:' . $policy);


		// Send fallback headers for installations that don't have the possibility to send
		// custom headers on the webserver side
		if(getenv('modHeadersAvailable') !== 'true') {
			header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
			header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
			header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
			header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
			header('X-Download-Options: noopen'); // https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
			header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
		}
	}


}

DaRo · August 22, 2016, 8:40am

Yes! i was just going to put an answer here, i found this 20 minutes ago, and it's exactly this file!

Thank you so much for your help

Bert · April 1, 2019, 4:19pm

Hello,

1/ Will I be able to embed an owncloud server if it is hosted in a sub domain, when the web site doing the embedding is in another sub domain but with the same domain name (ex. Can I embed owncloud.mywebsite2344234234.com in test.mywebsite2344234234.com without having issue with the sameorigin restriction ?)

If not

2/ Can I embed Owncloud in only one website (with one specific domain name - and no other website will be able to embed it) and how to ?

Thanks for your answers…

hodyroff · April 1, 2019, 6:18pm

In the meantime there is a CORS function in ownCloud. You do need to enter the URL and that will be an exception to the CSP rule. https://doc.owncloud.com/server/admin_manual/configuration/server/config_sample_php_parameters.html

zamboknee · August 21, 2021, 3:38pm

Is this accessible via FTP client (Transmit)?

alfredb · August 22, 2021, 8:39am

I consider your question as OT, and I don’t know what ‘this’ relates to. And dropping a OT question into an 2 years old thread doesn’t make any sense either.

To access files in ownCloud you have to use WebDAV, nothing else.

zamboknee · August 22, 2021, 2:05pm

Not OT (Off Topic, right?)
I’m asking about the CORS stuff. (Access ‘this’ meaning the CORS code. Can you access the proper file to change CORS via an FTP client.
If you read the OP (that means Original Post for those wondering) you’d see that they were looking for a way to embed owncloud folder via Iframe. As am I.
If the topic is still relevant to someone what does it matter if you post 2 years later?
Forums are usually for getting answers from other users not attitude.

alfredb · August 22, 2021, 3:14pm

You’re right, my bad. I’m very sorry that I didn’t understand your vague question, and I hope you’ll find an answer somewhere.

zamboknee · August 22, 2021, 6:34pm

I should have been more specific. Apologies.

tom42 · August 26, 2021, 11:54am

Hey,

it seems there was some additional info posted about this in the following topic recently: