Violation of Content Security Policy

CaptainYuce · 17 July 2024 18:37

Having trouble with integration between Nextcloud and Onlyoffice. “This content is blocked.” is displayed and developer tools shows "Refused to frame onlyoffice.domain.tld/:1 http://onlyoffice.domain.tld/ because it violates the following Content Security Policy directive: "frame-src ‘self’ https://onlyoffice.domain.tld/

Notice the http in the above error… is that a clue of where to look? There’s no errors in the access or errors log.

Edit to add results from curl -I https://nextcloud.domain.tld. notice the Content Security Policy and access-control-allow-origin has https://onlyoffice.domain.tld

HTTP/1.1 302 Found
server: nginx
date: Wed, 17 Jul 2024 19:37:11 GMT
content-type: text/html; charset=UTF-8
strict-transport-security: max-age=15552000; includeSubDomains
referrer-policy: no-referrer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: noindex, nofollow
x-xss-protection: 1; mode=block
set-cookie: 5vm3l=odmlmni20abnpdg99s178sv991; path=/; secure; HttpOnly; SameSite=Lax
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: oc_sessionPassphrase=k%j3dwctCPYkHrwBza7aH97bw; path=/; secure; HttpOnly; SameSite=Lax
set-cookie: oc78sv991; path=/; secure; HttpOnly; SameSite=Lax
content-security-policy: default-src 'self'; script-src 'self' 'nonce-d1hUJpam1VcHhGWT0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
set-cookie: ocq5nmu5vm3l=odmlmni20abnpdg99s178sv991; path=/; secure; HttpOnly; SameSite=Lax
location: https://nextcloud.domain.tld/login
content-security-policy: frame-src 'self' https://onlyoffice.domain.tld;
access-control-allow-origin: https://onlyoffice.domain.tld;
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
access-control-expose-headers: Content-Length,Content-Range

Constantine · 19 July 2024 13:04

Hello @CaptainYuce

Please specify some information about Nextcloud and Document Server:

version of Document Server;
installation type of Document Server (Docker, DEB/RPM packages, MSI/EXE);
version of Nextcloud;
version of the connector app.

In general, are you able to save connector settings when pressing Save button? Are both Nextcloud and Document Server running over HTTPS?