Vimeo domain restriction issue

ccfu

I have just moved a Wordpress website from a different server on to a Cloudron using the LAMP App. The site includes a number of embeded Vimeo videos which are protected using domain restriction. On the old server they worked fine, on the Cloudron server the videos will not play 'because of the domain restriction settings'. If I remove the restriction they play fine and I cannot work out why this should be happening.

Does Vimeo perhaps check for something else besides the domain name? I can't find any information that would suggest this to be the case. I am thinking it could just be a DNS issue which will resolve itself after a while, but if it is not, does the LAMP App block any referer information that might be the cause?

Any help or suggestions would be greatly appreciated.

nebulon

@ccfu if you open up the webinspector in your browser, does it show any warnings about this?

This may be related to CSP, see https://docs.cloudron.io/apps/#custom-csp for more details

ccfu

@nebulon

Thanks for the input. I also suspected CSP but the videos load when the domain restriction is turned off so I think it is more likely to be because of the referrer-policy "same-origin". I eventually found a post on the Internet which suggested setting "strict-origin-when-cross-origin" in .htaccess, but this doesn't seem to have any effect as the page is still showing "same-origin" in Inspector. Or does this have to go in the apache.conf and then restart the app to work with Cloudron? I am now wondering whether the Wordpress installation is overriding the header setting in .htaccess so will check that too.

Edit: It seems that the App is somehow overriding any attempt to change the referrer policy. Could that be? I added the referrer policy to the header in Wordpress and also tried via a plugin and it is still not changing what is sent to the browser.

nebulon

@ccfu the nginx reverse proxy would overwrite that header and will set it to "same-origin" to have a sane default for apps which don't set it.

I guess in this case we have no way for now to let an app overwrite this, which seems to be required in your case.

Can you also share the link which suggests to set strict-origin-when-cross-origin I would like to understand how vimeo handles this.

ccfu

@nebulon My understanding is that the referrer is not sent when same-origin is set.

Here is the link I was referring to: https://github.com/getkirby/kirby/issues/3257

There may of course be a better way and ideally the header should not be set universally.

nebulon

@ccfu I am not quite sure anymore why we are explicitly overriding that header, even if it is passed from the upstream server (ie the app in this case)

I've pushed a change for next release which will allow overriding it now https://git.cloudron.io/cloudron/box/-/commit/70f2337b09f321c1252fd0e17754e5ffbb1080d9

Does anyone know if this may have problematic side-effects security wise?