enable iframe?
-
I'd like to be able to embed some Nextcloud folders in an iframe.
This is how you'd do it in a traditional environment: https://return2.net/nextcloud-enable-external-iframe/
How can I do this in Cloudron? Can the app admin add it as a flag in the upstream config? Who is the admin for Nextcloud?
-
You can't use that particular method of editing the code, but you could look into setting a custom CSP via the app configuration (may need some maintenance to keep everything working in the future) - https://docs.cloudron.io/apps/#custom-csp - You'd need to get a copy of the CSP header being sent by your installation presently, then you can adjust the iframe sources allowed manually and put the entire adjusted CSP in place.
-
I have another question to this case. I am trying to add a custom interface dashboard, which embeds each of the cloudron apps as iframes into my UI.
While I made the iframe embedding work with adding the CSP like this:
frame-ancestors 'self' http://localhost:*;
I am not able to login into nextcloud via the embedded iframe. (after sending email and password, nothing happens)Then for penflip is also different again, when pressing OpenID connection button: Refused to frame 'https://my.cloudron.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'". (is there a way to enable custom CSP embedding for the whole my.cloudron.com as well?)
For Paperless this is the response:
Verboten (403)
CSRF-Verifizierung fehlgeschlagen. Anfrage abgebrochen.Sie sehen Diese Nachricht, da diese Seite einen CSRF-Cookie beim Verarbeiten von Formulardaten benötigt. Dieses Cookie ist aus Sicherheitsgründen notwendig, um sicherzustellen, dass Ihr Webbrowser nicht von Dritten missbraucht wird.
Falls Sie Cookies in Ihren Webbrowser deaktiviert haben, müssen Sie sie mindestens für diese Seite oder für „Same-Origin“-Verbindungen reaktivieren.
Mehr Information ist verfügbar mit DEBUG=True.
For some other apps this works perfectly fine. f.e. directus
Is there a generell way of solving this nicely for any app?
-
Generally embedding an app in an iframe on another domain is tricky due to security restrictions. Mostly this has to be supported by an app explicitly if they properly lock down asset loading (which they should) mainly through CSP headers/meta-tags.
A main security issue here, is the fact that if an app allows for example the login page to be embedded in other domains, it could lead to it being embedded in a page which is crafted in a way to capture user input like passwords, then compromising the user.
Same goes for cookies, which should ideally be locked down to the origin the app is configured to run on, to avoid leaking cookie information.
-
Thanks for the clarification and explaining the security implications. Would it work in a secure way, if the "iframe" app is on the same domain, f.e. iframe.cloudron.app ?