Hi guys,
anyone know if its possible to add roundcube and nextcloud into an iframe?
IIRC, you will need to check the nginx config files to see if CSP or X-headers are configured.
I think an easy way to do this is with curl:
$ curl -I https:box.example.com/mail
HTTP/2 302
server: nginx
date: Thu, 05 Mar 2020 14:38:48 GMT
content-type: text/html
content-length: 154
location: https://box.example.com/mail/
strict-transport-security: max-age=15768000
Since there are no X-Frame-Options or Content-Security-Policy headers, Iām pretty sure you can load in an iframe.
I got the same response but there is X-Frame-Options and Content Security Policy in numerous locationsā¦
For NextCloud you have the following locations
/usr/local/lib/owncloud/.htaccess
/usr/local/lib/owncloud/lib/public/AppFramework/Http/ContentSecurityPolicy.php
/usr/local/lib/owncloud/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
/usr/local/lib/owncloud/lib/private/AppFramework/Http/Request.php
/root/mailinabox/conf/nginx.conf
and I know ive missed a fewā¦
most of them are stated in this thread SOLVED: Nextcloud 16 - How to allow iFrame usage - ā¹ļø Support - Nextcloud community
Browser network monitor displays the following response headers when loading nextcloud iframeā¦
Iframe will not load for nextcloud even from box.example.com
HTTP/2 302 Found
server: nginx
date: Fri, 06 Mar 2020 05:08:26 GMT
content-type: text/html; charset=UTF-8
content-length: 0
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
referrer-policy: no-referrer
x-content-type-options: nosniff
x-download-options: noopen
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-xss-protection: 1; mode=block
set-cookie: nc_sameSiteCookielax=true; path=/cloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: nc_sameSiteCookiestrict=true; path=/cloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
cache-control: no-cache, no-store, must-revalidate
location: /cloud/index.php/login
content-security-policy: default-src ānoneā;base-uri ānoneā;manifest-src āselfā
feature-policy: autoplay ānoneā;camera ānoneā;fullscreen ānoneā;geolocation ānoneā;microphone ānoneā;payment ānoneā
X-Firefox-Spdy: h2
I havent looked at all the locations for roundcube just yet although I uploaded a simple index.html with iframe to the box.example.com www root and Iframe will work but not on any other domainsā¦
Browser network monitor displays the following response headers when loading roundcube iframe
HTTP/2 200 OK
server: nginx
date: Fri, 06 Mar 2020 05:14:58 GMT
content-type: text/html; charset=UTF-8
expires: Fri, 06 Mar 2020 05:14:58 GMT
last-modified: Fri, 06 Mar 2020 05:14:58 GMT
cache-control: private, no-cache, no-store, must-revalidate, post-check=0, pre-check=0
pragma: no-cache
content-language: en
content-encoding: gzip
X-Firefox-Spdy: h2
1 Like