[BUG] onlyoffice documentserver integration broken due to Nextcloud's reverse proxy modification in ssl.conf
jdancouga opened this issue · 1 comments
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
Enabling ssl.conf's add_header Referrer_Policy/X-Content-Type-Options/X-Frame-Options/X-XSS-Protection options as instructed in nextcloud.subdomain.conf will break the integration of Onlyoffice within nextcloud. However, not enabling the add-header options will fail the nextcloud security check.
Expected Behavior
Passing nextcloud's security check while still have functioning onlyoffice integration.
Steps To Reproduce
- setup reverse proxy for nextcloud and onlyoffice documentserver using swag's default temaplate for nextcloud.subdomain and documentserver.subdomain proxy conf.
- remove comments in ssl.conf's optional additional header for add_header Referrer_Policy/X-Content-Type-Options/X-Frame-Options/X-XSS-Protection
Don't really understand all these personally, so I just did some trials and errors. I found out it is when "add_header X-Frame-Options "SAMEORIGIN" always;" is enabled causing the integration to break.
For now, I simply add this particular header within nextcloud.subdomain.conf to pass the security test.
Update: Closing this issue report. Upon further reading, this seems to be the correct behavior when enabling this header.
https://forum.onlyoffice.com/t/error-message-when-opening-creating-a-document-from-update/4392/12