Collabora NextCloud issue
-
Ok, so I've been racking my brain on this one for a while and can't figure it out.
I've got NextCloud installed at
cloud.mydomain.com
, and Collabora installed atdocs.mydomain.com
. I've updated Collabora to allow framing byhttps://cloud.mydomain.com
as well as updated the host name in the app itself. I've also installed the Collabora app in NextCloud as well as told it to look athttps://docs.mydomain.com
.This had been working for a while. Today I noticed it just kept spinning when trying to view a doc and see in the JavaScript console the following perplexing line:
Loading denied by X-Frame-Options: https://md.mydomain.com/ does not permit framing by https://cloud.mydomain.com/apps/files/?dir=/path/to/doc
What?! I do have an app (CodiMD) hosted at
md.mydomain.com
, however, that is something completely irrelevant. Just in case, I updated it to allow framing inhttps://cloud.iamthefij.com
, but that doesn't seem to have helped either.From there I started debugging. I grepped the
/app
directories formd.mydomain.com
in both my NextCloud and Collabora containers, but found nothing. I tried renamingmd.mydomain.com
tomd2.mydomain.com
, but I got the exact same error:Loading denied by X-Frame-Options: https://md.mydomain.com/ does not permit framing by https://cloud.mydomain.com/apps/files/?dir=/path/to/doc
On the other hand, when I rename
docs.mydomain.com
todocs2.mydomain.com
, I get a NextCloud error that it can't connect to Collabora!So it seems like NextCloud is connecting to Collabora, but for some reason it's then trying to load a different host...
-
Tried that, but it did not fix it. For some reason it still shows the same thing.
FYI, the default is insecure.
[a-zA-Z0-9_\-.]*example.com
would actually allow someone to use a malicious domain likefake-example.com
and use the instance as it would match that regex. It should really beexample.com|[a-zA-Z0-9_\-]+.example.com
. That way it's checking for root domain or any subdomain with a dot before the domain. -
Just tried in Safari and got much more detailed information:
[Error] Invalid 'X-Frame-Options' header encountered when loading 'https://cloud.example.com/apps/richdocuments/index?fileId=11418&requesttoken=blah': 'ALLOW-FROM https://md.example.com' is not a recognized directive. The header will be ignored. [Error] Invalid 'X-Frame-Options' header encountered when loading 'https://docs.example.com/loleaflet/blah/loleaflet.html?WOPISrc=https%3A%2F%2Fcloud.example.com%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F11418_blah&title=Test.odt&lang=en&closebutton=1&revisionhistory=1': 'ALLOW-FROM https://cloud.example.com' is not a recognized directive. The header will be ignored.
It looks like both are trying to frame each other. When I did check my settings for
cloud.example.com
, I saw that I had allowedcloud.example.com
to be embedded inmd.example.com
, so I'm wondering if that's where this is coming from.Updated both to allow embedding from each other now.
Oddly enough I still get errors saying framing is not allowed.
Firefox gives me:
Load denied by X-Frame-Options: https://docs.example.com/ does not permit framing by https://cloud.example.com/apps/files/?dir=/Documents
Safari gives me:
[Error] Invalid 'X-Frame-Options' header encountered when loading 'https://cloud.example.com/apps/richdocuments/index?fileId=11418&requesttoken=blah%3D%blah%blah%3D': 'ALLOW-FROM https://docs.example.com' is not a recognized directive. The header will be ignored. [Error] Invalid 'X-Frame-Options' header encountered when loading 'https://docs.example.com/loleaflet/blah/loleaflet.html?WOPISrc=https%3A%2F%2Fcloud.example.com%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F1141blah&title=Test.odt&lang=en&closebutton=1&revisionhistory=1': 'ALLOW-FROM https://cloud.example.com' is not a recognized directive. The header will be ignored.
The header itself shows
X-Frame-Options: ALLOW-FROM https://cloud.example.com
... which looks right. -
More debugging weirdness! Looks like the Safari errors can be ignored. The iframe actually seems to be loading fine. I tested using my external link to Gitea embedded in NextCloud. It renders just fine, but the errors still shows in the log. Weird.
Then, within the Collabora frame inside NextCloud, I was getting an error saying:
Failed to read document from storage. Please contact your storage server (cloud.example.com) administrator.
Turns out that was related to open a new document. It now works in Safari with older documents but new documents won't work.
Firefox still gives me the previous error, though I just noticed there is also a different error present, so maybe the
X-Frame-Options
one is a red herring.Load denied by X-Frame-Options: https://docs.example.com/ does not permit framing by https://cloud.example.com/apps/files/. Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Sorry, this is a lot of info. I'm just dumping it all as I debug for someone's future reference (probably mine).
-
@iamthefij I don't know if this is related, but we have an open task to move away from X-Frame-Options which seems to be deprecated - https://git.cloudron.io/cloudron/box/issues/596