El 2021-11-26 11:19, Francis Daly escribió:
On Fri, Nov 26, 2021 at 08:43:58AM -0300, Daniel Armando Rodriguez
wrote:
Hi there,
One of them is a NextCloud + WOPI based LibreOffice Online Solution,
as such
it needs to access resources in WOPI server subdomain. What I need is
my
nginx to allow X-Frame-Options for WOPI server subdomain.
It sounds like you want a request from the client, to have a specific
header with a specific value in the response when being proxy_pass'ed
through nginx.
Well, it's not a browser request but OxOffice Online one. Whith
X-Frame-Options set to SAMEORIGIN I can work, can edit documents,
spreadsheets and so on. The issue raises when doing a presentation as a
new browser window is displayed. And console says
chromewebdata/:1 Refused to display 'https://wopi.dominio.edu.ar/' in a
frame because it set 'X-Frame-Options' to 'sameorigin'.
Nextcloud is hosted on it's own subdomain (cloud.dominio.edu.ar) and
WOPI web services are consumed from wopi.dominio.edu.ar
Can you show one request that you make, and the response that you get,
and the response that you want to get instead?
If I disable X-Frame-Options set to SAMEORIGIN presentation appears as
it should, but I don't like the idea to dissallow X-Frame-Options just
for one service.
Possibly the browser "developer tools" console can show the network
requests and responses; I suspect that you only care about the http
response headers, not the response body.
My /etc/nginx/snippets/ssl-params.conf have the X-Frame-Options set to
SAMEORIGIN.
I've tried adding following line to NC conf file with no luck:
proxy_hide_header X-Frame-Options
Also tried adding this line, with no luck either
add_header X-Frame-Options "allow-from https://WOPI-DOMAIN";;
What does "no luck" mean, here?
The refused to display 'https://wopi.dominio.edu.ar/
I suspect it is "the browser did not end up doing what I want"; but
from
an nginx perspective it would be easier if you could say "I want *this*
response but I get *that* response". (What the browser does with the
response is less interesting, from this viewpoint.)
When it comes to nginx directives, adding things in one part of the
config can "hide" or "override" things written elsewhere, for one
request.
"proxy_hide_header" means "if the proxy_pass response includes this
header, do not send it to the client".
"add_header" means "for certain response codes, send this header
name/value in the response".
However...
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
suggests that "ALLOW-FROM" is in the set "Don't use it". You can have
DENY or SAMEORIGIN, or you can use Content-Security-Policy instead.
Whether your browser would do anything with an X-Frame-Options header,
is entirely up to your browser. (If it would not do anything, then
spending time configuring your nginx to send the header will not
benefit
the browser.)
If you can show a complete-minimal config that shows the problem that
you see, it may become clearer what changes are needed on the nginx
side.
Cheers,
Sure,
NextCloud Server =
https://pad.unau.edu.ar/p/r.12c074621fc8c7a6ab900a0899872dbf
Wopi Server =
https://pad.unau.edu.ar/p/r.9b59663162dd956d7fe6604ba9e0870c
Nginx SSL =
https://pad.unau.edu.ar/p/r.861b2c17a9ad10e0c741a0588065e317
________________________________________________
Daniel A. Rodriguez
_Informática, Conectividad y Sistemas_
Universidad Nacional del Alto Uruguay
San Vicente - Misiones - Argentina
informatica.unau.edu.ar
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
