Open Thatoo opened 10 months ago
Here is the screenshot that explain well :
It would be nice if we didn't need to open the CAS acceptance in a new window but it would just display in the iframe and after clicking on accept it would go back to Element in the iframe.
Well,
I think it's probably a nginx header issue. But don't really know where. Can you check with the browser debug tools if there are some error/warning ?
Le cookie « PHPSESSID » n’a pas de valeur d’attribut « SameSite » appropriée. Bientôt, les cookies dont l’attribut « SameSite » est manquant ou défini avec une valeur invalide seront traités comme « Lax ». Cela signifie que le cookie ne sera plus envoyé dans des contextes tiers. Si votre application dépend de la disponibilité de ce cookie dans de tels contextes, veuillez lui ajouter l’attribut « SameSite=None ». Pour en savoir plus sur l’attribut « SameSite », consultez https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite [login](https://matrix.MYDOMAIN.COM/_matrix/cas_server.php/login?service=https%3A%2F%2Fmatrix.MYDOMAIN.COM%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Fnextcloud.yunomatcloud.hamdel.in%252Fapps%252Friotchat%252Friot%252F%2523%252F)
Le chargement de « https://matrix.MYDOMAIN.COM/_matrix/client/r0/login/cas/ticket?redirectUrl=https%3A%2F%2Fnextcloud.MYDOMAIN.COM%2Fapps%2Friotchat%2Friot%2F%23%2F&ticket=d7f402554717139bfd8ff396c9c2c231b9ce42eef1345b45a5be8541270ae89f93f2eebf41804751e8eeee90fa8e23a3a343 » dans un cadre est refusé par la directive « X-Frame-Options » définie à « SAMEORIGIN ».
[ticket](https://matrix.MYDOMAIN.COM/_matrix/client/r0/login/cas/ticket?redirectUrl=https%3A%2F%2Fnextcloud.MYDOMAIN.COM%2Fapps%2Friotchat%2Friot%2F%23%2F&ticket=d7f402554717139bfd8ff396c9c2c231b9ce42eef1345b45a5be8541270ae89f93f2eebf41804751e8eeee90fa8e23a3a343)
This error page has no error code in its security info [aboutNetError.js:570:13](chrome://browser/content/certerror/aboutNetError.js)
Uncaught DOMException: Permission denied to access property "document" on cross-origin object [main.js:2](https://nextcloud.MYDOMAIN.COM/apps/riotchat/js/main.js?v=4a98364a-0)
i main.js:45
nextcloud.MYDOMAIN.COM is different from matrix.MYDOMAIN.COM so indeed, « X-Frame-Options » définie à « SAMEORIGIN ». is providing it.
Not sure it's possible to make an exception in nginx though...
Interesting... I face the exact same issue but reverse trying to ass the nextcloud calendar as a widget into a matrix room. Apparently this « X-Frame-Options » defined as « SAMEORIGIN » in nginx for matrix and nextcloud is kind of bothering. Isn't it too restrictive?
Would it be possible to configure headers to CAS to be embedded in an iframe? The idea is to be able to authenticate by CAS to synapse from riotchat (Element for Nextcloud) without the need to open an other window and make the user feel lost.