Override Content Security Policy not working

DualOSWinWiz · wrote on Feb 8, 2023, 4:17 PM

i need to run mattermost in iframe and overriding the

Content Security Policy
Setting this option will override any CSP headers sent by the app itself

i am trying to override to "frame-ancestors 'xyz.zyz';

can anyone help in this regard

nebulon · Feb 8, 2023, 4:58 PM

Have you seen the documentation for this at https://docs.cloudron.io/apps/#custom-csp ?

DualOSWinWiz · wrote on Feb 8, 2023, 4:58 PM

@nebulon yes i tried exactly but its not working

nebulon · wrote on Feb 9, 2023, 4:14 PM

I just tried this on a fresh installation and I can see the CSP header correctly sent after configuring it through the Cloudron dashboard. Can you maybe curl the page with -v and check the sent headers there?

girish · wrote on Feb 10, 2023, 7:27 AM

Looks like https://forum.mattermost.com/t/recipe-embedding-mattermost-in-web-applications-using-an-iframe-unsupported-recipe/10233 is the latest recipe.

girish · wrote on Feb 10, 2023, 7:40 AM

Configure mattermost like so:

Then in surfer app (the app configured above), use the following code:

<!DOCTYPE html>
<html>

<body style="text-align: center">
	<iframe src="https://mattermost.smartserver.io" height="200" width="400">
	</iframe>
</body>

</html>

The going to surfer.smartserver.io, I get:

Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.

Cloudron Forum

Override Content Security Policy not working