Iframe not rendering on another domain

Hello, so I started this question on the github repo and been told to post here instead. TLDR: I want to include my owncloud instance in another website through iframe but it appears to be blocked by the lack of Access-Control-Allow-Origin

According to @DeepDiver1975 It’s the CSP setup that disallow it but I don’t see the frame-ancestors parameter that would block an iframe from loading owncloud. And the browser itself say it refused to dispaly because ‘X-Frame-Options’ is set to ‘sameorigin’.

Steps to reproduce

  1. configure owncloud to have “cors.allowed-domains”: “https:// example. com”
  2. configure a page to include an iframe with src=“owncloud. example. com/s/zhdavdjaz”
  3. load the page

Expected behaviour

the return header should include Access-Control-Allow-Origin: https:// example. com

Actual behaviour

without the header the browser refuse to load the content

If I understand correctly from this https:// www. moesif. com/blog/technical/cors/Authoritative-Guide-to-CORS-Cross-Origin-Resource-Sharing-for-REST-APIs/# for a simple request the only thing missing is the header part. However it looks like https:// github. com/owncloud/core/blob/2de709ee929ff8ffd480019c82e09929134ad41d/lib/public/AppFramework/ApiController.php#L85 that owncloud only send this header for a preflighted request. Is there something that i’m missing in the owncloud configuration?

Server configuration

Operating system:
Web server:
PHP version:
ownCloud version: (see ownCloud admin page)
Updated from an older ownCloud or fresh install:
Where did you install ownCloud from:
Signing status (ownCloud 9.0 and above):

Login as admin user into your ownCloud and access 
paste the results into https://gist.github.com/ and puth the link here.

The content of config/config.php:

List of activated apps:

Are you using external storage, if yes which one: local/smb/sftp/…
Are you using encryption: yes/no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…

Client configuration

Operating system:
windows 10

Sorry if I butchered some url, my account can’t post more than two url apparently

following this thread. Trying to embed my server side owncloud login link using iframe but it’s not showing up. Is this a restriction in owncloud?

See my reply on Iframe blocking?

1 Like