Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Vimeo domain restriction issue

    LAMP
    2
    6
    340
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ccfu last edited by

      I have just moved a Wordpress website from a different server on to a Cloudron using the LAMP App. The site includes a number of embeded Vimeo videos which are protected using domain restriction. On the old server they worked fine, on the Cloudron server the videos will not play 'because of the domain restriction settings'. If I remove the restriction they play fine and I cannot work out why this should be happening.

      Does Vimeo perhaps check for something else besides the domain name? I can't find any information that would suggest this to be the case. I am thinking it could just be a DNS issue which will resolve itself after a while, but if it is not, does the LAMP App block any referer information that might be the cause?

      Any help or suggestions would be greatly appreciated.

      nebulon 1 Reply Last reply Reply Quote 0
      • nebulon
        nebulon Staff @ccfu last edited by

        @ccfu if you open up the webinspector in your browser, does it show any warnings about this?

        This may be related to CSP, see https://docs.cloudron.io/apps/#custom-csp for more details

        C 1 Reply Last reply Reply Quote 0
        • C
          ccfu @nebulon last edited by ccfu

          @nebulon

          Thanks for the input. I also suspected CSP but the videos load when the domain restriction is turned off so I think it is more likely to be because of the referrer-policy "same-origin". I eventually found a post on the Internet which suggested setting "strict-origin-when-cross-origin" in .htaccess, but this doesn't seem to have any effect as the page is still showing "same-origin" in Inspector. Or does this have to go in the apache.conf and then restart the app to work with Cloudron? I am now wondering whether the Wordpress installation is overriding the header setting in .htaccess so will check that too.

          Edit: It seems that the App is somehow overriding any attempt to change the referrer policy. Could that be? I added the referrer policy to the header in Wordpress and also tried via a plugin and it is still not changing what is sent to the browser.

          nebulon 1 Reply Last reply Reply Quote 0
          • nebulon
            nebulon Staff @ccfu last edited by

            @ccfu the nginx reverse proxy would overwrite that header and will set it to "same-origin" to have a sane default for apps which don't set it.

            I guess in this case we have no way for now to let an app overwrite this, which seems to be required in your case.

            Can you also share the link which suggests to set strict-origin-when-cross-origin I would like to understand how vimeo handles this.

            C 1 Reply Last reply Reply Quote 0
            • C
              ccfu @nebulon last edited by ccfu

              @nebulon My understanding is that the referrer is not sent when same-origin is set.

              Here is the link I was referring to: https://github.com/getkirby/kirby/issues/3257

              There may of course be a better way and ideally the header should not be set universally.

              nebulon 1 Reply Last reply Reply Quote 0
              • nebulon
                nebulon Staff @ccfu last edited by

                @ccfu I am not quite sure anymore why we are explicitly overriding that header, even if it is passed from the upstream server (ie the app in this case)

                I've pushed a change for next release which will allow overriding it now https://git.cloudron.io/cloudron/box/-/commit/70f2337b09f321c1252fd0e17754e5ffbb1080d9

                Does anyone know if this may have problematic side-effects security wise?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Powered by NodeBB