Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Nextcloud
  3. enable iframe?

enable iframe?

Scheduled Pinned Locked Moved Solved Nextcloud
iframe
6 Posts 4 Posters 1.7k Views 5 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Sam_ukS Offline
      Sam_ukS Offline
      Sam_uk
      wrote on last edited by girish
      #1

      I'd like to be able to embed some Nextcloud folders in an iframe.

      This is how you'd do it in a traditional environment: https://return2.net/nextcloud-enable-external-iframe/

      How can I do this in Cloudron? Can the app admin add it as a flag in the upstream config? Who is the admin for Nextcloud?

      1 Reply Last reply
      0
      • jimcavoliJ Offline
        jimcavoliJ Offline
        jimcavoli
        App Dev
        wrote on last edited by
        #2

        You can't use that particular method of editing the code, but you could look into setting a custom CSP via the app configuration (may need some maintenance to keep everything working in the future) - https://docs.cloudron.io/apps/#custom-csp - You'd need to get a copy of the CSP header being sent by your installation presently, then you can adjust the iframe sources allowed manually and put the entire adjusted CSP in place.

        Sam_ukS 1 Reply Last reply
        3
        • jimcavoliJ jimcavoli

          You can't use that particular method of editing the code, but you could look into setting a custom CSP via the app configuration (may need some maintenance to keep everything working in the future) - https://docs.cloudron.io/apps/#custom-csp - You'd need to get a copy of the CSP header being sent by your installation presently, then you can adjust the iframe sources allowed manually and put the entire adjusted CSP in place.

          Sam_ukS Offline
          Sam_ukS Offline
          Sam_uk
          wrote on last edited by
          #3

          @jimcavoli Thanks, that's fixed it 🙂

          1 Reply Last reply
          1
          • S Offline
            S Offline
            samuelandert.eth
            wrote on last edited by
            #4

            I have another question to this case. I am trying to add a custom interface dashboard, which embeds each of the cloudron apps as iframes into my UI.

            While I made the iframe embedding work with adding the CSP like this:

            frame-ancestors 'self' http://localhost:*;
            I am not able to login into nextcloud via the embedded iframe. (after sending email and password, nothing happens)

            Then for penflip is also different again, when pressing OpenID connection button: Refused to frame 'https://my.cloudron.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'". (is there a way to enable custom CSP embedding for the whole my.cloudron.com as well?)

            For Paperless this is the response:
            Verboten (403)
            CSRF-Verifizierung fehlgeschlagen. Anfrage abgebrochen.

            Sie sehen Diese Nachricht, da diese Seite einen CSRF-Cookie beim Verarbeiten von Formulardaten benötigt. Dieses Cookie ist aus Sicherheitsgründen notwendig, um sicherzustellen, dass Ihr Webbrowser nicht von Dritten missbraucht wird.

            Falls Sie Cookies in Ihren Webbrowser deaktiviert haben, müssen Sie sie mindestens für diese Seite oder für „Same-Origin“-Verbindungen reaktivieren.

            Mehr Information ist verfügbar mit DEBUG=True.

            For some other apps this works perfectly fine. f.e. directus

            Is there a generell way of solving this nicely for any app?

            1 Reply Last reply
            0
            • nebulonN Offline
              nebulonN Offline
              nebulon
              Staff
              wrote on last edited by
              #5

              Generally embedding an app in an iframe on another domain is tricky due to security restrictions. Mostly this has to be supported by an app explicitly if they properly lock down asset loading (which they should) mainly through CSP headers/meta-tags.

              A main security issue here, is the fact that if an app allows for example the login page to be embedded in other domains, it could lead to it being embedded in a page which is crafted in a way to capture user input like passwords, then compromising the user.

              Same goes for cookies, which should ideally be locked down to the origin the app is configured to run on, to avoid leaking cookie information.

              1 Reply Last reply
              1
              • S Offline
                S Offline
                samuelandert.eth
                wrote on last edited by
                #6

                Thanks for the clarification and explaining the security implications. Would it work in a secure way, if the "iframe" app is on the same domain, f.e. iframe.cloudron.app ?

                1 Reply Last reply
                0
                Reply
                • Reply as topic
                Log in to reply
                • Oldest to Newest
                • Newest to Oldest
                • Most Votes


                  • Login

                  • Don't have an account? Register

                  • Login or register to search.
                  • First post
                    Last post
                  0
                  • Categories
                  • Recent
                  • Tags
                  • Popular
                  • Bookmarks
                  • Search