CSP blocking federated access?

[mhoffmann75]

We have a setup of two nextcloud instances, each with its own collabora instance. Lets call them nextcloud1, nextcloud2, collabora1 and collabora2. In real life they have fqdns with trusted certs. For this issue i use the short-names instead.

For company1 nextcloud1 is attached to collabora1 and for company2 the nextcloud2is attached to collabora2.

On all machines latest stable versions 22.2.3 with latest richdocuments app (4.2.3) and latest CODE docker container.

Both nextcloud instances are trusting each other via nextcloud federation and are shown in yellow within nextcloud web.

On both collabora instances we have configured <frame_ancestors> to "https://nextcloud1 https://nextcloud2" (also tried https://*) and added "nextcloud1|nextcloud2" as allowed regex host via /etc/loolwsd/loolwsd.xml:

...
        <wopi desc="Allow/deny wopi storage. Mutually exclusive with webdav." allow="true">
            <host desc="Regex pattern of hostname to allow or deny." allow="true">nextcloud1|nextcloud2</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
...
       <frame_ancestors desc="Specify who is allowed to embed the LO Online iframe (loolwsd and WOPI host are always allowed). Separate multiple hosts by space.">https://nextcloud1 https://nextcloud2</frame_ancestors>
...

The richdocuments app configuration on both nextcloud point to their collabora instance.

What works - what does not?

• Files and folders can be shared from one nextcloud to the other
• Shared files (through federation) can be accessed (downloaded)
• Collabora can be used on each side to edit local office files

However accesing an federated office file results in a 15 seconds spinning wheel and "Failed to load Collabora Online. Please try again later". The cause seems to be that the remote nextcloud is missing from CSP.

We get the following error on Nextcloud1: refused to frame 'https://nextcloud2' because it violates the following Content Security Policy directive: "frame-src 'self' https://collabora1". Obviously nextcloud2 is missing here - same for nextcloud1 on nextcloud2's side.

When forceful disabling CSP in reverse proxy, all works well, so it is an issue where the CSP is not set correctly. But why?

Is this a bug? or am i missing something?

I even tried to set gs.trustedHosts but without luck. From my understanding (the docs are not too clear for me here) it should work without Global Scale mode but with additional browser refresh. Currently i don't want to enable gs.enable since both nextcloud instances are from different companies and i don't think that Global Scale mode is really needed here? Or is this the best way to achieve federated editing - what would be the downside of GS mode?

Any safe way to add the missing host to CSP headers?

[mopsig]

I am having the same issue on two instances of Nextcloud 22.2.3.1 (Enterprise), richdocuments 4.3.2 and coolwsd/loolwsd 21.11.0.5-1 from the CODE repositories on Ubuntu 20.04 LTS. Everything is behind nginx.

Followed the instructions from stable22's README.md:

• added each instance as trusted server of the other instance (address books are synced)
• set the frame_ancestors to https://* in coolwsd.xml

Result:

Refused to frame 'https://nextcloud2' because it violates the following Content Security Policy directive: "frame-src 'self' https://collabora".

GS mode is currently also not an option for me.

[gglx]

Same issue here: two instances NC 22.2.5 richdocuments 4.2.4 coolwsd 21.11.2.2 from CODE on Debian10. Webserver is Apache. Everything works fine except federated document access. frame ancestors are set as mopsig described above. Browser reports CSP violation.

[ThibautPlg]

Until my PR is reviewed, the fastest fix is to add your federated NC FQDN into lib/public/AppFramework/Http/ContentSecurityPolicy.php file.

Example :

# lib/public/AppFramework/Http/ContentSecurityPolicy.php
[... content]
/** @var array Domains from which iframes can be loaded */
  protected $allowedFrameDomains = [
    'nextcloud2.website.com',
    'nextcloud3.website.com',
  ];
[... content]

You have to set every federated servers on each servers to be able to edit shared files from all origins.

[maxxer]

PR is merged, is this issue still open?