Collabora + Nextcloud can't open document online, frame ancestor issue

Installation & Configuration
1

Hi,
I’m running a LAMP nextcloud and have installed Collabora through package manager. Both running on the same VPS. So far I can’t open any document with firefox, it complains about frame ancestor. Content-Security-Policy: The page’s settings blocked the loading of a resource (frame-ancestors) at <unknown> because it violates the following directive: “frame-ancestors 'self'”

For installation I followed this guide: Collabora integration guide - 📑 How to - Nextcloud community . In the admin interface I see a green check mark so connection is ok from there. I can also access CODE admin panel from outside.

For trouble shoot I followed this Cross-origin frame problems - #4 by darshan . But my problem seems to be different because setting the frame ancestor manually doesn’t help.

In firefox when I open cool.html I see that the frame ancestors should be correctly set already.


      <input type="hidden" id="initial-variables"
      data-host = "wss://<office-url>"
      data-service-root = ""
      data-hexify-url = "false"
      data-version-path = "b7ba9a23ba"
      data-access-token = ""
      data-access-token-ttl = "0"
      data-access-header = ""
      data-post-message-origin-ext = ""
      data-cool-logging = ""
      data-coolwsd-version = "24.04.13.3"
      data-enable-welcome-message = "true"
      data-auto-show-welcome = "false"
      data-auto-show-feedback = "false"
      data-allow-update-notification = "true"
      data-user-interface-mode = "notebookbar"
      data-use-integration-theme = "false"
      data-statusbar-save-indicator = "true"
      data-enable-macros-execution = "false"
      data-enable-accessibility = "false"
      data-out-of-focus-timeout-secs = "300"
      data-idle-timeout-secs = "900"
      data-min-saved-message-timeout-secs = "6";
      data-protocol-debug = "false"
      data-enable-debug = "false"
      data-frame-ancestors = "%20<office-url>:%2A%20<nextcloud-url>:%2A"
      data-socket-proxy = "false"
      data-ui-defaults = "e30="
      data-check-file-info-override = "{}"
      data-deepl-enabled = "false"
      data-zotero-enabled = "true"
      data-document-signing-enabled = "true"
      data-saved-ui-state = "true"
      data-extra-export-formats = ""
      data-wasm-enabled = "false"
      data-indirection-url = ""
      data-geolocation-setup = "%GEOLOCATION_SETUP%"
      data-canvas-slideshow-enabled = "true"
      />

I’m out of ideas what went wrong. I noticed there’s an extra ; in data-min-saved-message-timeout-secs but I don’t know if this is relevant.

Best regards,
William

2

Hi @william ,

Thanks for the detailed information. From what you’re describing, the root issue is the Content-Security-Policy (CSP) — specifically the frame-ancestors directive — which is being enforced by your Nextcloud server, not Collabora.

TL;DR:

Your browser is blocking the Collabora iframe inside Nextcloud due to CSP settings on the Nextcloud side.

Still i would recommend to serach in collabora online forum with keyword LAMP. For example i found this thread Nextcloud connects fine to CODE docker container but can't open any documents - #3 by Tex

may or may not solve your issue but yes you can always search through the previous topics. I am sure i have seen few LAMP issues in past. So can you please search and see if find anything ?

let me know

Thanks
|Darshan

3

Thanks for the reply. I managed to solved the issue. I was inspired by this thread: Debugging help - Nextcloud- coolwsd servers - #8 by FamousL

Turns out, I’ve set Header set Content-Security-Policy "frame-ancestors 'self';" in my apache config as a security measure. Previously with only nextcloud running on the server, this works just fine. But not with Collabora added to the setup. Now I’ve commented out this config line, I can finally open documents.

The tricky part of my issue was that none of the logs show any errors, neither nextcloud nor CODE nor apache told me something went wrong. CODE just had one warning convert-to: Requesting address is denied: ***.***.**.** but it was not relevant.

The config in question is a line provided by the apache installation in etc/apache2//conf-enabled/security.conf. Do you know if I can somehow modify this line to make it secure against other types of attacks while enabling CODE access?

Regards,
William

1 Like