Hello, so I started this question on the github repo and been told to post here instead. TLDR: I want to include my owncloud instance in another website through iframe but it appears to be blocked by the lack of Access-Control-Allow-Origin
According to @DeepDiver1975 It’s the CSP setup that disallow it but I don’t see the frame-ancestors parameter that would block an iframe from loading owncloud. And the browser itself say it refused to dispaly because ‘X-Frame-Options’ is set to ‘sameorigin’.
Steps to reproduce
- configure owncloud to have “cors.allowed-domains”: “https:// example. com”
- configure a page to include an iframe with src=“owncloud. example. com/s/zhdavdjaz”
- load the page
Expected behaviour
the return header should include Access-Control-Allow-Origin: https:// example. com
Actual behaviour
without the header the browser refuse to load the content
If I understand correctly from this https:// www. moesif. com/blog/technical/cors/Authoritative-Guide-to-CORS-Cross-Origin-Resource-Sharing-for-REST-APIs/# for a simple request the only thing missing is the header part. However it looks like https:// github. com/owncloud/core/blob/2de709ee929ff8ffd480019c82e09929134ad41d/lib/public/AppFramework/ApiController.php#L85 that owncloud only send this header for a preflighted request. Is there something that i’m missing in the owncloud configuration?
Server configuration
Operating system:
Linux
Web server:
Apache
Database:
MariaDB
PHP version:
7.2.17-0ubuntu0.18.04.1
ownCloud version: (see ownCloud admin page)
10.2.1.4
Updated from an older ownCloud or fresh install:
fresh
Where did you install ownCloud from:
docker
Signing status (ownCloud 9.0 and above):
Login as admin user into your ownCloud and access
http://example.com/index.php/settings/integrity/failed
paste the results into https://gist.github.com/ and puth the link here.
The content of config/config.php:
List of activated apps:
Are you using external storage, if yes which one: local/smb/sftp/…
no
Are you using encryption: yes/no
no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…
no
Client configuration
Browser:
chrome
Operating system:
windows 10