diff options
author | Julius Härtl <jus@bitgrid.net> | 2022-02-10 17:40:56 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-02-10 17:40:56 +0300 |
commit | c95af16df593f2a169ea0ebda35555200797d694 (patch) | |
tree | 36d3c36388ec15e5c74c985b51ecdd8070423652 | |
parent | 2df81ba7d7e9ae1eb41845cce8d2a47248bc8b74 (diff) | |
parent | 2a6d8093d83f64b8451c7968a95ccb04bc61d167 (diff) |
Merge pull request #2034 from nextcloud/backport/1977/stable4
[stable4] Always add gs.trustedHosts to the CSP
-rw-r--r-- | docs/federated-editing.md | 25 | ||||
-rw-r--r-- | lib/AppInfo/Application.php | 16 |
2 files changed, 33 insertions, 8 deletions
diff --git a/docs/federated-editing.md b/docs/federated-editing.md index 9afd57d0..f7b2103f 100644 --- a/docs/federated-editing.md +++ b/docs/federated-editing.md @@ -6,7 +6,23 @@ connect to that through their Nextcloud instance (Initiator). In a federated scenario both Nextcloud servers need to add each other as trusted servers or in a global scale environment a list of nodes can be added through the `gs.trustedHosts` setting in the -config.php file. +config.php file: + +```php +'gs.trustedHosts' => [ + 'gs1.example.com', + 'gs2.example.com', + 'collabora.example.com' +] +``` + +Using wildcards is also possible: + +```php +'gs.trustedHosts' => [ + '*.example.com' +] +``` When a Initiator opens a file that is located on an incoming federated share, a check will be performed if the share owners instance supports federated editing. If that is the case a Initiator @@ -14,3 +30,10 @@ token will be created, and the user will be redirected to the Source instance to The source instance will then fetch the user and file details, create a WOPI token for the remote user with those details and open the document with that. + +## Allow remote access on Collabora +Collabora by default only allows embedding from the same remote that the initial frame is loaded. In order to enable embedding also in trusted remotes like a different GS node, the following setting will allow that: + +Assuming gs1.example.com and gs2.example.com are Nextcloud servers: + + coolconfig set net.frame_ancestors "*.example.com" diff --git a/lib/AppInfo/Application.php b/lib/AppInfo/Application.php index 5701d50e..701e80b7 100644 --- a/lib/AppInfo/Application.php +++ b/lib/AppInfo/Application.php @@ -196,6 +196,12 @@ class Application extends App implements IBootstrap { public function updateCSP() { $container = $this->getContainer(); + // Do not apply CSP rules on WebDAV/OCS + // Ideally this could be a middleware running after the controller execution before rendering the result to only do it on page response + if ($container->getServer()->getRequest()->getScriptName() !== '/index.php') { + return; + } + $publicWopiUrl = $container->getServer()->getConfig()->getAppValue('richdocuments', 'public_wopi_url', ''); $publicWopiUrl = $publicWopiUrl === '' ? \OC::$server->getConfig()->getAppValue('richdocuments', 'wopi_url') : $publicWopiUrl; $cspManager = $container->getServer()->getContentSecurityPolicyManager(); @@ -211,11 +217,7 @@ class Application extends App implements IBootstrap { /** * Dynamically add CSP for federated editing */ - $path = ''; - try { - $path = $container->getServer()->getRequest()->getPathInfo(); - } catch (\Exception $e) {} - if ((strpos($path, '/apps/files/') === 0 || strpos($path, '/s/') === 0) && $container->getServer()->getAppManager()->isEnabledForUser('federation')) { + if ($container->getServer()->getAppManager()->isEnabledForUser('federation')) { /** @var FederationService $federationService */ $federationService = \OC::$server->query(FederationService::class); @@ -225,6 +227,7 @@ class Application extends App implements IBootstrap { if ($globalScale->isGlobalScaleEnabled()) { $trustedList = \OC::$server->getConfig()->getSystemValue('gs.trustedHosts', []); foreach ($trustedList as $server) { + $policy->addAllowedFrameDomain($server); $this->addTrustedRemote($policy, $server); } } @@ -239,8 +242,7 @@ class Application extends App implements IBootstrap { } private function addTrustedRemote($policy, $url) { - /** @var FederationService $federationService */ - $federationService = \OC::$server->query(FederationService::class); + $federationService = \OC::$server->get(FederationService::class); try { $remoteCollabora = $federationService->getRemoteCollaboraURL($url); $policy->addAllowedFrameDomain($url); |