Collabora NextCloud issue

iamthefij

Ok, so I've been racking my brain on this one for a while and can't figure it out.

I've got NextCloud installed at cloud.mydomain.com, and Collabora installed at docs.mydomain.com. I've updated Collabora to allow framing by https://cloud.mydomain.com as well as updated the host name in the app itself. I've also installed the Collabora app in NextCloud as well as told it to look at https://docs.mydomain.com.

This had been working for a while. Today I noticed it just kept spinning when trying to view a doc and see in the JavaScript console the following perplexing line:

Loading denied by X-Frame-Options: https://md.mydomain.com/ does not permit framing by https://cloud.mydomain.com/apps/files/?dir=/path/to/doc

What?! I do have an app (CodiMD) hosted at md.mydomain.com, however, that is something completely irrelevant. Just in case, I updated it to allow framing in https://cloud.iamthefij.com, but that doesn't seem to have helped either.

From there I started debugging. I grepped the /app directories for md.mydomain.com in both my NextCloud and Collabora containers, but found nothing. I tried renaming md.mydomain.com to md2.mydomain.com, but I got the exact same error:

Loading denied by X-Frame-Options: https://md.mydomain.com/ does not permit framing by https://cloud.mydomain.com/apps/files/?dir=/path/to/doc

On the other hand, when I rename docs.mydomain.com to docs2.mydomain.com, I get a NextCloud error that it can't connect to Collabora!

So it seems like NextCloud is connecting to Collabora, but for some reason it's then trying to load a different host...

murgero

@iamthefij Can you try resetting collabora? if you leave the default settings it only allows connections from your domain anyway

nebulon

I cannot think of anything causing nextcloud to iframe some random other domain. As @murgero said reinstalling collabora on the same domain should fix this, as the defaults should be ok already.

iamthefij

Tried that, but it did not fix it. For some reason it still shows the same thing.

FYI, the default is insecure. [a-zA-Z0-9_\-.]*example.com would actually allow someone to use a malicious domain like fake-example.com and use the instance as it would match that regex. It should really be example.com|[a-zA-Z0-9_\-]+.example.com. That way it's checking for root domain or any subdomain with a dot before the domain.

iamthefij

Just tried in Safari and got much more detailed information:

[Error] Invalid 'X-Frame-Options' header encountered when loading 'https://cloud.example.com/apps/richdocuments/index?fileId=11418&requesttoken=blah': 'ALLOW-FROM https://md.example.com' is not a recognized directive. The header will be ignored.
[Error] Invalid 'X-Frame-Options' header encountered when loading 'https://docs.example.com/loleaflet/blah/loleaflet.html?WOPISrc=https%3A%2F%2Fcloud.example.com%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F11418_blah&title=Test.odt&lang=en&closebutton=1&revisionhistory=1': 'ALLOW-FROM https://cloud.example.com' is not a recognized directive. The header will be ignored.

It looks like both are trying to frame each other. When I did check my settings for cloud.example.com, I saw that I had allowed cloud.example.com to be embedded in md.example.com, so I'm wondering if that's where this is coming from.

Updated both to allow embedding from each other now.

Oddly enough I still get errors saying framing is not allowed.

Firefox gives me:

Load denied by X-Frame-Options: https://docs.example.com/ does not permit framing by https://cloud.example.com/apps/files/?dir=/Documents

Safari gives me:

[Error] Invalid 'X-Frame-Options' header encountered when loading 'https://cloud.example.com/apps/richdocuments/index?fileId=11418&requesttoken=blah%3D%blah%blah%3D': 'ALLOW-FROM https://docs.example.com' is not a recognized directive. The header will be ignored.
[Error] Invalid 'X-Frame-Options' header encountered when loading 'https://docs.example.com/loleaflet/blah/loleaflet.html?WOPISrc=https%3A%2F%2Fcloud.example.com%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F1141blah&title=Test.odt&lang=en&closebutton=1&revisionhistory=1': 'ALLOW-FROM https://cloud.example.com' is not a recognized directive. The header will be ignored.

The header itself shows X-Frame-Options: ALLOW-FROM https://cloud.example.com... which looks right.

iamthefij

More debugging weirdness! Looks like the Safari errors can be ignored. The iframe actually seems to be loading fine. I tested using my external link to Gitea embedded in NextCloud. It renders just fine, but the errors still shows in the log. Weird.

Then, within the Collabora frame inside NextCloud, I was getting an error saying:

Failed to read document from storage. Please contact your storage server (cloud.example.com) administrator.

Turns out that was related to open a new document. It now works in Safari with older documents but new documents won't work.

Firefox still gives me the previous error, though I just noticed there is also a different error present, so maybe the X-Frame-Options one is a red herring.

Load denied by X-Frame-Options: https://docs.example.com/ does not permit framing by https://cloud.example.com/apps/files/.
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified

Sorry, this is a lot of info. I'm just dumping it all as I debug for someone's future reference (probably mine).

girish

@iamthefij I don't know if this is related, but we have an open task to move away from X-Frame-Options which seems to be deprecated - https://git.cloudron.io/cloudron/box/issues/596