Cross-origin frame problems

darshan · October 28, 2024, 8:22am

The frame_ancestors tag being marked as obsolete in the coolwsd.xml configuration file indicates that you should now use the content_security_policy (CSP) directive instead, which provides more granular control over security policies for content embedding. Since you’re still encountering issues even after modifying your configuration, let’s focus on implementing a correct content_security_policy.

Possible solution:

Remove the frame_ancestors Setting
Since frame_ancestors is obsolete, and you’re instructed to use content_security_policy, you can safely remove or comment out the <frame_ancestors> tag from the coolwsd.xml. The relevant portion should now look like this:

<content_security_policy desc="Customize the CSP header by specifying one or more policy-directive, separated by semicolons. See w3.org/TR/CSP2">
    default-src 'self'; frame-src 'self' https://docs.domain.ca https://domain.ca blob:; frame-ancestors https://domain.ca https://docs.domain.ca;
</content_security_policy>

Customizing content_security_policy
The content_security_policy tag accepts a string in CSP format. Here’s an example that should allow your custom app (running on domain.ca) to embed documents from your CODE instance (docs.domain.ca), and allow operations like file access via blobs, printing, and others:

<content_security_policy>
    default-src 'self'; 
    frame-src 'self' https://docs.domain.ca https://domain.ca blob:; 
    script-src 'self' 'unsafe-inline'; 
    img-src 'self' data:; 
    style-src 'self' 'unsafe-inline'; 
    connect-src 'self' https://docs.domain.ca;
    frame-ancestors https://domain.ca https://docs.domain.ca;
</content_security_policy>

Ensure Correct Server Headers (Apache/Nginx)
You mentioned configuring CSP headers on the Apache side, but you should ensure that the headers set by Apache do not conflict with the content_security_policy in coolwsd.xml. Either remove them from Apache or set them only for specific routes to avoid overriding the CSP set by Collabora. You can add the CSP in Apache like this:
```
Header always set Content-Security-Policy "default-src 'self'; frame-src 'self' https://docs.domain.ca https://domain.ca blob:; frame-ancestors https://domain.ca https://docs.domain.ca;"
```
Restart the Services
After applying these changes, restart both the coolwsd service and your web server (Apache or Nginx) to apply the updated configuration:
```
sudo systemctl restart coolwsd
sudo systemctl restart apache2  # Or nginx if you use Nginx
```
Check Browser Dev Tools Again
After restarting, check your browser’s developer tools for any CSP-related errors. The headers should now reflect your changes, and the cross-origin errors related to iframe embedding or autofocusing should no longer appear.

If Issues Persist

If after implementing this, you still see errors related to printing or iframe access:

Ensure there are no sandbox attributes or policies applied to the iframe from your web app’s side.
Verify that no other Apache/Nginx reverse proxy settings are interfering with the requests.
Try to load the Collabora iframe directly and check if CSP issues arise only when embedded via your app or generally.

These steps should resolve the issue.

All the best ,
Darshan

Topic		Replies	Views
Cross-origin frame issue when printing in Chrome Installation & Configuration english-en	8	3300	August 6, 2024
Owncloud Content-Security-Policy origin issue (?) Installation & Configuration	0	417	October 7, 2021
Iframe frame-ancestors issue Installation & Configuration	1	856	October 12, 2021
Collabora + Nextcloud can't open document online, frame ancestor issue Installation & Configuration	3	18	May 8, 2025
From version 24.12.4.1 onwards CSP directives in coolwsd.xml are being ignored Installation & Configuration	10	49	April 10, 2025

Join us in Budapest2 - 4 June 2025

Cross-origin frame problems

Possible solution:

If Issues Persist

Related topics

Join us in Budapest
2 - 4 June 2025