CSP Issues
-
So I found an issue with 3 apps when setting the ability to embed.
Freescout, Chatwoot and Open WebUI
Using the preset configuration to allow embedding
# Allow embedding from all sites default-src 'self'; frame-ancestors 'none';It cause a issue with Freescout and Chatwoot loading at all when going directly and shows an error on the website embedding it.
I thought the app became currupt so I installed the setup again and tried to add the CSP again to face the same issue. Chatwoot after removing the CSP did not work but freescout worked again.
Open WebUI just shows a huge Open WebUI logo.
-
Generally embedding via iframing is not a great idea, since it enables clickjacking attacks. In Cloudron you can however overwrite the csp related headers as you have done. This still does not mean apps itself allow this, they might set (and actually should in my opinion) those csp values in meta tags itself. So even if the apps you want to use do not have their own security measures here, you might still only want to allow specific origins here, otherweise anyone can embedd your apps and perform an attack.
-
They were only being embedded for the staff on our Nextcloud, not for the public. And we did restrict to our internal domains and had the same issues.
Just thought people should know that some apps don't work at all with CSP, causing these apps GUI to stop loading complely making it look like the app no longer works.
