Difficulty Setting frame-ancestors via net.content_security_policy in extra_params (Docker collabora/code:latest on Cloud Run)

Hi Collabora Community,

I’m running the collabora/code:latest Docker image on Google Cloud Run and I’m having trouble getting the frame-ancestors directive in the Content Security Policy to update correctly. My goal is to allow my frontend application (e.g., https://example.com) to embed the Collabora iframe.

What I’ve Found:

• I saw a warning in my Collabora logs: WRN The config entry net.frame_ancestors is obsolete and will be removed in the future. Please add ‘frame-ancestors ‘self’;’ in the net.content_security_policy config.

• My local coolwsd.xml also marks <frame_ancestors> as obsolete and points to using <content_security_policy>.

What I’ve Tried:
I’m setting the extra_params environment variable in my Cloud Run service. I’ve tried to set the full CSP using --o:net.content_security_policy.

Here’s an example of the extra_params I’ve tried to set:

--o:ssl.enable=false --o:ssl.termination=true --o:server_name=collabora.example.in:443 --o:net.content_security_policy='media-src '\''self'\'' https://collabora.example.in; object-src '\''self'\''; style-src '\''self'\''; script-src '\''self'\'' '\''unsafe-eval'\''; frame-ancestors '\''self'\'' https://example.in https://collabora.example.in; img-src '\''self'\'' data: https://www.collaboraoffice.com https://collabora.example.in api.example.in; connect-src '\''self'\'' https://www.zotero.org https://api.zotero.org wss://collabora.example.in https://collabora.example.in; frame-src '\''self'\'' https://*.rating.collaboraonline.com https://rating.collaboraonline.com blob:; font-src '\''self'\''; default-src '\''none'\'';' --o:net.post_allow.host[0]=api.example.in --o:storage.wopi.host[0]=api.example.in 

where example.in is my domain name.

The Problem:
Despite deploying this new configuration and ensuring the Cloud Run active revision has these extra_params, the Content-Security-Policy header I see in the browser response for cool.html still contains the old/default frame-ancestors (e.g., frame-ancestors ‘self’ collabora.example.in:* api.example.in:*), which doesn’t include my frontend domains. This causes the iframe to be blocked.

My Setup:

• Docker Image: collabora/code:latest

• Deployment: Google Cloud Run

• Collabora URL: https://collabora.example.in

• Frontend URL trying to embed: https://example.in

• Backend (WOPI Host): https://api.example.in

Question:

1. Is there a specific syntax or quoting I need for the value of --o:net.content_security_policy in extra_params that I might be missing?

2. Could there be another setting that overrides or prevents net.content_security_policy from extra_params from being applied correctly in the latest image?

3. Has anyone successfully configured frame-ancestors this way with recent collabora/code images?

I’ve tried clearing browser caches extensively and testing in different browsers. The Cloud Run revision configuration shows the correct extra_params, but the HTTP response header doesn’t reflect the change for frame-ancestors.

Any advice or examples would be greatly appreciated!

Thanks,
Sasidhar Chavali

Hii @Sasidhar3159 welcome to collabora online forums

1. Does quoting matter in extra_params?

Yes. When passing a string like --o:net.content_security_policy='...', Cloud Run may misinterpret or strip quotes, especially around 'self' or when nested quotes are involved.

In particular, single quotes inside a quoted string must be escaped properly, and it’s often safer to avoid ' entirely in favor of CSP keyword equivalents using no quotes or URL-safe characters.

2. How does coolwsd interpret net.content_security_policy?

The setting is expected to be a single string and is passed as-is from extra_params into the configuration system (coolconfig). But if quoting fails, the setting may be malformed, partially parsed, or ignored — leading to fallback to defaults.

You can test this inside a container with:

coolconfig get net.content_security_policy

In Cloud Run, you won’t be able to shell into the container easily, but logging coolwsd.xml on startup (or dumping its values via a /hosting/discovery inspection) can help confirm what values were loaded.

3. A Minimal Working Example for extra_params

Try this minimal version without inner quotes, where keywords like self are unquoted:

--o:net.content_security_policy=media-src self https://collabora.example.in; object-src self; style-src self; script-src self unsafe-eval; frame-ancestors https://example.in https://collabora.example.in; img-src self data: https://www.collaboraoffice.com https://collabora.example.in api.example.in; connect-src self https://www.zotero.org https://api.zotero.org wss://collabora.example.in https://collabora.example.in; frame-src self https://*.rating.collaboraonline.com https://rating.collaboraonline.com blob:; font-src self; default-src 'none'

Important:

• Use self without quotes unless required.
• For default-src 'none', you must keep 'none' quoted because it’s a CSP reserved keyword with a dash.

Check if any known issues on your Google cloud run that interfering with parameter settings ?

Thanks
Darshan

Hi @darshan ,

Thanks so much for taking time to help me out.

I’ve continued testing with the collabora/code:latest image on Google Cloud Run, and unfortunately, I’m still unable to get the Content-Security-Policy header (specifically the frame-ancestors directive) to change from Collabora’s default.
Based on the suggestions, I tried the following extra_params string:

--o:ssl.enable=false --o:ssl.termination=true --o:server_name=collabora.example.in:443 --o:net.content_security_policy=media-src self https://collabora.example.in; object-src self; style-src self; script-src self 'unsafe-eval'; frame-ancestors self https://example.in https://collabora.example.in; img-src self data: https://www.collaboraoffice.com https://collabora.example.in api.example.in; connect-src self https://www.zotero.org https://api.zotero.org wss://collabora.example.in https://collabora.example.in; frame-src self https://*.rating.collaboraonline.com https://rating.collaboraonline.com blob:; font-src self; default-src 'none'; --o:net.post_allow.host[0]=api.example.in --o:storage.wopi.host[0]=api.example.in

Outcome in all cases:

1. I confirmed in the Google Cloud Run “Active Revision” configuration (YAML view) that the extra_params environment variable was correctly set to the string I intended for each test.

2. After aggressively clearing browser cache (including trying different browsers and incognito + disable cache in DevTools), the Content-Security-Policy HTTP response header for cool.html (from https://collabora.example.in) remains unchanged . It consistently sends the below as response header:

media-src 'self' blob: https://collabora.example.in; object-src 'self'; style-src 'self'; script-src 'self' 'unsafe-eval'; frame-ancestors collabora.example.in:* api.example.in:*; img-src 'self' data: https://www.collaboraoffice.com collabora.example.in:* api.example.in:*; connect-src 'self' https://www.zotero.org https://api.zotero.org wss://collabora.example.in https://collabora.example.in; frame-src 'self' https://rating.collaboraonline.com https://rating.collaboraonline.com blob:; font-src 'self'; default-src 'none';
``
The frame-ancestors part is never including my frontend domains (https://example.in)

Could there be something specific about the Google Cloud Run environment that affects how extra_params (especially long string values with special characters for net.content_security_policy) are passed to or parsed by the coolwsd daemon? Or is this a potential issue with recent collabora/code images where this override isn't working as expected?
At this point, I'm unsure how to get Collabora to send the correct frame-ancestors via extra_params. 

If you have time, any further suggestions on what to check or how to effectively set this CSP would be incredibly helpful.

Thanks again,
Sasidhar Chavali