CORS does not apply for embedding the ownCloud on another site. AFAIK, the only way around it, is to extend the default CSP. This can be done in the reverse proxy in front of your ownCloud or in the web server that serves ownCloud (would not recommend this way if oC is running in a container).
A CSP extension can look like this, but depending on the used webserver/proxy the syntax might be different:
Header merge Content-Security-Policy "frame-ancestors 'self' https://netzwissen.de"
Remember this is a security feature, and you should be as strict as possible.
You can check the header by a simple curl request:
❯ curl -I http://10.168.64.122:8000/index.php/apps/calendar/embed/ZKAE9WBUSTHKH4GA
HTTP/1.1 200 OK
Date: Wed, 05 Oct 2022 13:42:37 GMT
Server: Apache
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
X-Robots-Tag: none
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Set-Cookie: ocwm1duxquzd=r7loihns4tb284178agq47keqk; path=/; HttpOnly; SameSite=Strict
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=Dbqd9xWo8nNcf%2Bfw4gnaCchRvjViBTBIrhNYX8TeLSQatuJ05IHnOFIXlFW3pszT5vL4RTK%2B5qFaG%2Ba7ftK5e4J01d2PPTGviLoTbYnaP6TJ4bzWrNSCxXiMTU4ZdIz9; expires=Wed, 05-Oct-2022 14:02:37 GMT; Max-Age=1200; path=/; HttpOnly; SameSite=Strict
Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' * 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self', frame-ancestors 'self' file:
Content-Length: 35449
Content-Type: text/html; charset=UTF-8
In this example, I have extended the CPS by a frame-ancestors 'self' file: to allow embedding on a local file by frame-ancestors 'self' file:. It’s important to keep the original parts of the CSP, as these are set dynamically. A hard override of the dynamic CSP header with a static one may cause other issues.