Content-Security-Policy: The page’s settings blocked the loading of a resource (frame-src)

Installation & Configuration
1

Hi. I’m having trouble with embedding collabora in my owncloud instance. I get the following error:

Content-Security-Policy: The page’s settings blocked the loading of a resource (frame-src) at https://[collabora-instance]/browser/321ff0a561/cool.html?WOPISrc=https%3A%2F%2Focis.arne-boedt.be%3A443%2Fwopi%2Ffiles%2F1849b532065a376343ff11d8e3592b22767d778bdd8c39ef7500acf430262841&lang=en-US because it violates the following directive: “frame-src 'self' blob: https://embed.diagrams.net/” New file.odt

The following is my docker config:

name: ocis
services:
  collabora:
    cap_add:
      - MKNOD
    command:
      - bash
      - -c
      - coolconfig generate-proof-key ; /start-collabora-online.sh
    environment:
      DONT_GEN_SSL_CERT: "YES"
      aliasgroup1: https://[ocis-instance]:443
      extra_params: |
        --o:ssl.enable=false \
        --o:ssl.ssl_verification=false \
        --o:ssl.termination=true \
        --o:welcome.enable=false \
        --o:net.frame_ancestors=https://[ocis-instance]
      password: admin
      username: admin
    healthcheck:
      test:
        - CMD
        - curl
        - -f
        - http://localhost:9980/hosting/discovery
    image: collabora/code:24.04.12.3.1
    logging:
      driver: local
    networks:
      ocis-net: null
    ports:
      - mode: ingress
        target: 9980
        published: "9980"
        protocol: tcp
    restart: always
  collaboration:
    command:
      - -c
      - ocis collaboration server
    depends_on:
      collabora:
        condition: service_healthy
        required: true
      ocis:
        condition: service_started
        required: true
    entrypoint:
      - /bin/sh
    environment:
      COLLABORATION_APP_ADDR: https://[collabora-instance]
      COLLABORATION_APP_ICON: https://[collabora-instance]/favicon.ico
      COLLABORATION_APP_INSECURE: "true"
      COLLABORATION_APP_NAME: CollaboraOnline
      COLLABORATION_APP_PRODUCT: Collabora
      COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "true"
      COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
      COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
      COLLABORATION_LOG_LEVEL: info
      COLLABORATION_WOPI_SRC: https://[ocis-instance]
      MICRO_REGISTRY: nats-js-kv
      MICRO_REGISTRY_ADDRESS: ocis:9233
      OCIS_URL: https://[ocis-instance]
    image: owncloud/ocis-rolling:latest
    logging:
      driver: local
    networks:
      ocis-net: null
    ports:
      - mode: ingress
        target: 9142
        published: "9142"
        protocol: tcp
    restart: always
    volumes:
      - type: bind
        source: /root/ocis/ocis-config
        target: /etc/ocis
        bind:
          create_host_path: true
  ocis:
    command:
      - -c
      - ocis init || true; ocis server
    entrypoint:
      - /bin/sh
    environment:
      COLLABORA_DOMAIN: [collabora-instance]
      COMPANION_DOMAIN: companion.owncloud.test
      FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: com.owncloud.api.collaboration.CollaboraOnline
      FRONTEND_FULL_TEXT_SEARCH_ENABLED: "true"
      GATEWAY_GRPC_ADDR: 0.0.0.0:9142
      GRAPH_AVAILABLE_ROLES: b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d-825b-534dbdf22b99,fb6c3e19-e378-47e5-b277-9732f9de6e21,58c63c02-1d89-4572-916a-870abc5a1b7d,2d00ce52-1fc2-4dbc-8b95-a73b73395f5a,1c996275-f1c9-4e71-abdf-a42f6495e960,312
c0871-5ef7-4b3a-85b6-0e4074c64049,aa97fe03-7980-45ac-9e50-b325749fd7e6
      IDM_ADMIN_PASSWORD: admin
      IDM_CREATE_DEMO_USERS: "false"
      MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233
      NATS_NATS_HOST: 0.0.0.0
      NATS_NATS_PORT: "9233"
      NOTIFICATIONS_SMTP_HOST: ""
      NOTIFICATIONS_SMTP_INSECURE: ""
      NOTIFICATIONS_SMTP_PORT: ""
      NOTIFICATIONS_SMTP_SENDER: oCIS notifications
      NOTIFICATIONS_SMTP_USERNAME: ""
      OCIS_ADD_RUN_SERVICES: notifications
      OCIS_INSECURE: "true"
      OCIS_LOG_COLOR: "false"
      OCIS_LOG_LEVEL: info
      OCIS_LOG_PRETTY: "false"
      OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: banned-password-list.txt
      OCIS_URL: https://[ocis-instance]
      PROXY_ENABLE_BASIC_AUTH: "false"
      PROXY_HTTP_ADDR: 0.0.0.0:9200
      PROXY_TLS: "true"
      SEARCH_EXTRACTOR_TIKA_TIKA_URL: http://[tika-instance]:9998
      SEARCH_EXTRACTOR_TYPE: tika
    image: owncloud/ocis-rolling:latest
    logging:
      driver: local
    networks:
      ocis-net: null
    ports:
      - mode: ingress
        target: 9200
        published: "9200"
        protocol: tcp
    restart: always
    volumes:
      - type: bind
        source: /root/ocis/config/ocis/app-registry.yaml
        target: /etc/ocis/app-registry.yaml
        bind:
          create_host_path: true
      - type: bind
        source: /root/ocis/config/ocis/csp.yaml
        target: /etc/ocis/csp.yaml
        bind:
          create_host_path: true
      - type: bind
        source: /root/ocis/config/ocis/banned-password-list.txt
        target: /etc/ocis/banned-password-list.txt
        bind:
          create_host_path: true
      - type: bind
        source: /root/ocis/ocis-config
        target: /etc/ocis
        bind:
          create_host_path: true
      - type: bind
        source: /root/ocis/ocis-data
        target: /var/lib/ocis
        bind:
          create_host_path: true
  tika:
    image: apache/tika:latest-full
    logging:
      driver: local
    networks:
      ocis-net: null
    restart: always
networks:
  ocis-net:
    name: ocis_ocis-net

I’m using nginx as my reverse proxy. I’ve tried adding the following to the configuration:

add_header Content-Security-Policy “frame-ancestors ‘self’ https://[ocis-instance]”;

And many variants of that to no avail.

Thanks in advance for any help