RoundCube & NextCloud Iframe

Hi guys,
anyone know if its possible to add roundcube and nextcloud into an iframe?

IIRC, you will need to check the nginx config files to see if CSP or X-headers are configured.

I think an easy way to do this is with curl:

$ curl -I https:box.example.com/mail
HTTP/2 302 
server: nginx
date: Thu, 05 Mar 2020 14:38:48 GMT
content-type: text/html
content-length: 154
location: https://box.example.com/mail/
strict-transport-security: max-age=15768000

Since there are no X-Frame-Options or Content-Security-Policy headers, I’m pretty sure you can load in an iframe.

I got the same response but there is X-Frame-Options and Content Security Policy in numerous locations…

For NextCloud you have the following locations
/usr/local/lib/owncloud/.htaccess
/usr/local/lib/owncloud/lib/public/AppFramework/Http/ContentSecurityPolicy.php
/usr/local/lib/owncloud/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
/usr/local/lib/owncloud/lib/private/AppFramework/Http/Request.php
/root/mailinabox/conf/nginx.conf

and I know ive missed a few…

most of them are stated in this thread https://help.nextcloud.com/t/solved-nextcloud-16-how-to-allow-iframe-usage/52278

Browser network monitor displays the following response headers when loading nextcloud iframe…

Iframe will not load for nextcloud even from box.example.com

HTTP/2 302 Found
server: nginx
date: Fri, 06 Mar 2020 05:08:26 GMT
content-type: text/html; charset=UTF-8
content-length: 0
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
referrer-policy: no-referrer
x-content-type-options: nosniff
x-download-options: noopen
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-xss-protection: 1; mode=block
set-cookie: nc_sameSiteCookielax=true; path=/cloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: nc_sameSiteCookiestrict=true; path=/cloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
cache-control: no-cache, no-store, must-revalidate
location: /cloud/index.php/login
content-security-policy: default-src ‘none’;base-uri ‘none’;manifest-src ‘self’
feature-policy: autoplay ‘none’;camera ‘none’;fullscreen ‘none’;geolocation ‘none’;microphone ‘none’;payment ‘none’
X-Firefox-Spdy: h2

I havent looked at all the locations for roundcube just yet although I uploaded a simple index.html with iframe to the box.example.com www root and Iframe will work but not on any other domains…

Browser network monitor displays the following response headers when loading roundcube iframe

HTTP/2 200 OK
server: nginx
date: Fri, 06 Mar 2020 05:14:58 GMT
content-type: text/html; charset=UTF-8
expires: Fri, 06 Mar 2020 05:14:58 GMT
last-modified: Fri, 06 Mar 2020 05:14:58 GMT
cache-control: private, no-cache, no-store, must-revalidate, post-check=0, pre-check=0
pragma: no-cache
content-language: en
content-encoding: gzip
X-Firefox-Spdy: h2

1 Like