CSP Issues
-
So I found an issue with 3 apps when setting the ability to embed.
Freescout, Chatwoot and Open WebUI
Using the preset configuration to allow embedding
# Allow embedding from all sites default-src 'self'; frame-ancestors 'none';It cause a issue with Freescout and Chatwoot loading at all when going directly and shows an error on the website embedding it.
I thought the app became currupt so I installed the setup again and tried to add the CSP again to face the same issue. Chatwoot after removing the CSP did not work but freescout worked again.
Open WebUI just shows a huge Open WebUI logo.
-
Generally embedding via iframing is not a great idea, since it enables clickjacking attacks. In Cloudron you can however overwrite the csp related headers as you have done. This still does not mean apps itself allow this, they might set (and actually should in my opinion) those csp values in meta tags itself. So even if the apps you want to use do not have their own security measures here, you might still only want to allow specific origins here, otherweise anyone can embedd your apps and perform an attack.
-
They were only being embedded for the staff on our Nextcloud, not for the public. And we did restrict to our internal domains and had the same issues.
Just thought people should know that some apps don't work at all with CSP, causing these apps GUI to stop loading complely making it look like the app no longer works.
-
J joseph has marked this topic as solved
-
Basically, there is no fix for allowing embedding on our own websites, even with specific origins set and for the app to load.
I remember at one point you should not set CSP for all apps, but now it seems it's on all apps even though it doesn't work with all of them.
-
Cloudron does not set the CSP header unless a custom one is specified in the app configure view in the security page.
However apps may set this on their own, either through headers or also as meta tags in the delivered pages. Cloudron does not interfere here. This is however a topic for each app which is not setting those according to your needs.
