Iframe not rendering on another domain

francois.lange · August 21, 2019, 8:50am

Hello, so I started this question on the github repo and been told to post here instead. TLDR: I want to include my owncloud instance in another website through iframe but it appears to be blocked by the lack of Access-Control-Allow-Origin

According to @DeepDiver1975 It’s the CSP setup that disallow it but I don’t see the frame-ancestors parameter that would block an iframe from loading owncloud. And the browser itself say it refused to dispaly because ‘X-Frame-Options’ is set to ‘sameorigin’.

Steps to reproduce

configure owncloud to have “cors.allowed-domains”: “https:// example. com”
configure a page to include an iframe with src=“owncloud. example. com/s/zhdavdjaz”
load the page

Expected behaviour

the return header should include Access-Control-Allow-Origin: https:// example. com

Actual behaviour

without the header the browser refuse to load the content

If I understand correctly from this https:// www. moesif. com/blog/technical/cors/Authoritative-Guide-to-CORS-Cross-Origin-Resource-Sharing-for-REST-APIs/# for a simple request the only thing missing is the header part. However it looks like https:// github. com/owncloud/core/blob/2de709ee929ff8ffd480019c82e09929134ad41d/lib/public/AppFramework/ApiController.php#L85 that owncloud only send this header for a preflighted request. Is there something that i’m missing in the owncloud configuration?

Server configuration

Operating system:
Linux
Web server:
Apache
Database:
MariaDB
PHP version:
7.2.17-0ubuntu0.18.04.1
ownCloud version: (see ownCloud admin page)
10.2.1.4
Updated from an older ownCloud or fresh install:
fresh
Where did you install ownCloud from:
docker
Signing status (ownCloud 9.0 and above):

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.

The content of config/config.php:

gist.github.com

https://gist.github.com/frlanxpertiz/6ecf0fde85e3ea033755b277b2b8a7e5

config_report

{
    "basic": {
        "license key": "***REMOVED SENSITIVE VALUE***",
        "date": "Tue, 20 Aug 2019 14:19:47 +0000",
        "ownCloud version": "10.2.1.4",
        "ownCloud version string": "10.2.1",
        "ownCloud edition": "Community",
        "server OS": "Linux",
        "server OS version": "Linux 5181f8ee6687 4.9.137-xxxx-std-ipv6-64 #456990 SMP Wed Nov 14 08:31:25 UTC 2018 x86_64",
        "server SAPI": "apache2handler",

This file has been truncated. show original

List of activated apps:

Are you using external storage, if yes which one: local/smb/sftp/…
no
Are you using encryption: yes/no
no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…
no

Client configuration

Browser:
chrome
Operating system:
windows 10

francois.lange · August 21, 2019, 8:52am

Sorry if I butchered some url, my account can’t post more than two url apparently

zamboknee · August 10, 2021, 11:00pm

following this thread. Trying to embed my server side owncloud login link using iframe but it’s not showing up. Is this a restriction in owncloud?

rkaussow · August 23, 2021, 6:50pm

See my reply on Iframe blocking?