Hello, so I started this question on the github repo and been told to post here instead. TLDR: I want to include my owncloud instance in another website through iframe but it appears to be blocked by the lack of Access-Control-Allow-Origin
According to @DeepDiver1975 It’s the CSP setup that disallow it but I don’t see the frame-ancestors parameter that would block an iframe from loading owncloud. And the browser itself say it refused to dispaly because ‘X-Frame-Options’ is set to ‘sameorigin’.
Steps to reproduce
- configure owncloud to have “cors.allowed-domains”: “https:// example. com”
- configure a page to include an iframe with src=“owncloud. example. com/s/zhdavdjaz”
- load the page
the return header should include Access-Control-Allow-Origin: https:// example. com
without the header the browser refuse to load the content
If I understand correctly from this https:// www. moesif. com/blog/technical/cors/Authoritative-Guide-to-CORS-Cross-Origin-Resource-Sharing-for-REST-APIs/# for a simple request the only thing missing is the header part. However it looks like https:// github. com/owncloud/core/blob/2de709ee929ff8ffd480019c82e09929134ad41d/lib/public/AppFramework/ApiController.php#L85 that owncloud only send this header for a preflighted request. Is there something that i’m missing in the owncloud configuration?
ownCloud version: (see ownCloud admin page)
Updated from an older ownCloud or fresh install:
Where did you install ownCloud from:
Signing status (ownCloud 9.0 and above):
Login as admin user into your ownCloud and access http://example.com/index.php/settings/integrity/failed paste the results into https://gist.github.com/ and puth the link here.
The content of config/config.php:
List of activated apps:
Are you using external storage, if yes which one: local/smb/sftp/…
Are you using encryption: yes/no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…