OnlyOffice blocked by content security policy (CSP)

The OnlyOffice app is getting blocked by content security policy. I haven’t found anything in the docs or Google on the preferred way to adjust the policy to allow the OnlyOffice app to work.

The closest I got was this comment: Error in Collabora Code: Content Security Policy (“frame-src”) - #3 by muhammadhanif

Is there a way to modify OwnClouds CSP without messing with HTTP headers?

Since it didn’t get covered by the questions in the template, I’m running docker containers for OwnCloud, Redis, MariaDB, and OnlyOffice behind HAProxy.

Oh, and I actually think I had OO working back when I set this instance up a few months ago, but then it fell to the wayside and I just was upgrading things today when I found that OO wasn’t working…

Steps to reproduce

  1. Try to load a document using OnlyOffice.

Expected behaviour

The document should load.

Actual behaviour

Just get an Owncloud frame with no document loaded.

In the console, I see:

Content Security Policy: The page’s settings blocked the loading of a resource at http://oo.example.org/6.4.2-6/web-apps/apps/documenteditor/main/index_loader.html?_dc=6.4.2-6&lang=en&customer=ONLYOFFICE&frameEditorId=iframeEditor&compact=true&parentOrigin=https://cloud.example.org (“frame-src”).

Server configuration

Operating system:
Official Docker Image owncloud/server:10.8
Web server:
Official Docker Image owncloud/server:10.8
Database:
Docker: library/mariadb:10
PHP version:
Official Docker Image owncloud/server:10.8
ownCloud version: (see ownCloud admin page)
Official Docker Image owncloud/server:10.8
Updated from an older ownCloud or fresh install:
Updated from 10.7 today.
Where did you install ownCloud from:
Docker
Signing status (ownCloud 9.0 and above):

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.

No errors have been found.

The content of config/config.php:

skipping for now

List of activated apps:

skipping for now

Are you using external storage, if yes which one: local/smb/sftp/…
No
Are you using encryption: yes/no
No
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…
Now

Client configuration

Browser:
Firefox
Operating system:
Linux

Logs

Web server error log

skipping for now

ownCloud log (data/owncloud.log)

skipping for now

Browser log

skipping for now

Figured it out. I needed to set the forwarded headers per the instructions here: Using ONLYOFFICE Docs behind the proxy - ONLYOFFICE