I want to embed a shared calendar from https://cloud.netzwissen.de to another page running in a CMS on https://netzwissen.de by using <iframe>...</iframe>. But the X-Frame-Options = SAMEORIGIN header blocks the embedding although both servers run on the same domain (but in different containers with different host URLs).
Do we have a direct setting in OC which allows to specifically embed the calendar links or allow the embeddigng within the same subdomain? As far as I understand SAMEORIGIN means “same URL” and this is the reason that kills my setup here ;-( …
(this is NOT the caldav link used elsewhere). I also looked into config.php and there I have both domains set in
cors.allowed-domain trusted_domains
Thus it should be possible to embed this code into other sites within the same domain. At least with some special fine-tuning of the headers/config …
CORS does not apply for embedding the ownCloud on another site. AFAIK, the only way around it, is to extend the default CSP. This can be done in the reverse proxy in front of your ownCloud or in the web server that serves ownCloud (would not recommend this way if oC is running in a container).
A CSP extension can look like this, but depending on the used webserver/proxy the syntax might be different:
In this example, I have extended the CPS by a frame-ancestors 'self' file: to allow embedding on a local file by frame-ancestors 'self' file:. It’s important to keep the original parts of the CSP, as these are set dynamically. A hard override of the dynamic CSP header with a static one may cause other issues.
Thanks @rkaussow , I think, thats the correct direction ;-)).
The OC operates in a container, but LXC, not docker (virtualized with proxmox VE) and there is a haproxy in front for ssl termination. So I believe this could be managed either with some settings in the haproxy backend config or on the local apache inside the container. I would also prefer the haproxy way …
Not sure if haproxy has a proper replacement for Apaches Header merge directive, if not I would go the Apache way as overwriting the entire CSP with a static one is nearly impossible due to the already mentioned dynamic handling in core and all apps.
Small note on this approach. I noticed that Apache Header merge will merge headers with a , instead of a ; which is invalid for CSP. To workaround this issue yet another “hack” is required:
This is interesting, maybe this could make it’s way to the documentaition.
Out of curiosity, do you think @butonic’s gist at MyCSP app for ownCloud · GitHub is (still) working? That could be a solution for users who do have admin access to their cloud but not to the web server configuration.
Not sure, this approach is pretty old already and IMO a custom app just to extend the CSP is really a bit overkill. If users don’t have access to the web servers config, this can be done via .htaccess as well. Users might need to deal with the integrity check and need to add it back after each upgrade, but still better than a custom app.
However, if you would like to try the custom app approach, I would be interested in the results
@rkaussow - thanks a lot, your approach worked perfectly!
I first played with haproxy (latest stable 2.6). But as far as I understand, it only allows to set fixed additional headers. You can add headers e.g. for Strict-Transport-Security or the X-Forwarded-xxx headers for the proxy itself, thats easy.
But I could not find any docs about merging of header value strings coming from an application with additional values from haproxy. Therefore I implemented it with your recommendation (the apache way) and it worked directly
Will still ask the haproxy devs if there is a way to do this in the haproxy, it may be useful as an alternative and for documentation …
