[BUG] onlyoffice documentserver integration broken due to Nextcloud's reverse proxy modification in ssl.conf

[jdancouga]

Is there an existing issue for this?

• [X] I have searched the existing issues

Current Behavior

Enabling ssl.conf's add_header Referrer_Policy/X-Content-Type-Options/X-Frame-Options/X-XSS-Protection options as instructed in nextcloud.subdomain.conf will break the integration of Onlyoffice within nextcloud. However, not enabling the add-header options will fail the nextcloud security check.

Expected Behavior

Passing nextcloud's security check while still have functioning onlyoffice integration.

Steps To Reproduce

1. setup reverse proxy for nextcloud and onlyoffice documentserver using swag's default temaplate for nextcloud.subdomain and documentserver.subdomain proxy conf.
2. remove comments in ssl.conf's optional additional header for add_header Referrer_Policy/X-Content-Type-Options/X-Frame-Options/X-XSS-Protection

[jdancouga]

Don't really understand all these personally, so I just did some trials and errors. I found out it is when "add_header X-Frame-Options "SAMEORIGIN" always;" is enabled causing the integration to break.

For now, I simply add this particular header within nextcloud.subdomain.conf to pass the security test.

Update: Closing this issue report. Upon further reading, this seems to be the correct behavior when enabling this header. https://forum.onlyoffice.com/t/error-message-when-opening-creating-a-document-from-update/4392/12