diff options
author | Julius Härtl <jus@bitgrid.net> | 2022-02-10 17:40:51 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-02-10 17:40:51 +0300 |
commit | 135e42f5dece2f34a835479aca6c3b32d94384f1 (patch) | |
tree | 610a9173540475f4e9a25b1e8ec7b190310b8172 | |
parent | 5ac5d791aa832ff589cb0dafd92417d20afeb80c (diff) | |
parent | ef3de5f9a96fd3deea06d1ec872e7e309d393595 (diff) |
Merge pull request #2033 from nextcloud/backport/1977/stable23
[stable23] Always add gs.trustedHosts to the CSP
-rw-r--r-- | docs/federated-editing.md | 25 | ||||
-rw-r--r-- | lib/AppInfo/Application.php | 16 |
2 files changed, 33 insertions, 8 deletions
diff --git a/docs/federated-editing.md b/docs/federated-editing.md index 9afd57d0..f7b2103f 100644 --- a/docs/federated-editing.md +++ b/docs/federated-editing.md @@ -6,7 +6,23 @@ connect to that through their Nextcloud instance (Initiator). In a federated scenario both Nextcloud servers need to add each other as trusted servers or in a global scale environment a list of nodes can be added through the `gs.trustedHosts` setting in the -config.php file. +config.php file: + +```php +'gs.trustedHosts' => [ + 'gs1.example.com', + 'gs2.example.com', + 'collabora.example.com' +] +``` + +Using wildcards is also possible: + +```php +'gs.trustedHosts' => [ + '*.example.com' +] +``` When a Initiator opens a file that is located on an incoming federated share, a check will be performed if the share owners instance supports federated editing. If that is the case a Initiator @@ -14,3 +30,10 @@ token will be created, and the user will be redirected to the Source instance to The source instance will then fetch the user and file details, create a WOPI token for the remote user with those details and open the document with that. + +## Allow remote access on Collabora +Collabora by default only allows embedding from the same remote that the initial frame is loaded. In order to enable embedding also in trusted remotes like a different GS node, the following setting will allow that: + +Assuming gs1.example.com and gs2.example.com are Nextcloud servers: + + coolconfig set net.frame_ancestors "*.example.com" diff --git a/lib/AppInfo/Application.php b/lib/AppInfo/Application.php index 67a08000..c768dcd8 100644 --- a/lib/AppInfo/Application.php +++ b/lib/AppInfo/Application.php @@ -198,6 +198,12 @@ class Application extends App implements IBootstrap { public function updateCSP() { $container = $this->getContainer(); + // Do not apply CSP rules on WebDAV/OCS + // Ideally this could be a middleware running after the controller execution before rendering the result to only do it on page response + if ($container->getServer()->getRequest()->getScriptName() !== '/index.php') { + return; + } + $publicWopiUrl = $container->getServer()->getConfig()->getAppValue('richdocuments', 'public_wopi_url', ''); $publicWopiUrl = $publicWopiUrl === '' ? \OC::$server->getConfig()->getAppValue('richdocuments', 'wopi_url') : $publicWopiUrl; $cspManager = $container->getServer()->getContentSecurityPolicyManager(); @@ -213,11 +219,7 @@ class Application extends App implements IBootstrap { /** * Dynamically add CSP for federated editing */ - $path = ''; - try { - $path = $container->getServer()->getRequest()->getPathInfo(); - } catch (\Exception $e) {} - if ((strpos($path, '/apps/files/') === 0 || strpos($path, '/s/') === 0) && $container->getServer()->getAppManager()->isEnabledForUser('federation')) { + if ($container->getServer()->getAppManager()->isEnabledForUser('federation')) { /** @var FederationService $federationService */ $federationService = \OC::$server->query(FederationService::class); @@ -227,6 +229,7 @@ class Application extends App implements IBootstrap { if ($globalScale->isGlobalScaleEnabled()) { $trustedList = \OC::$server->getConfig()->getSystemValue('gs.trustedHosts', []); foreach ($trustedList as $server) { + $policy->addAllowedFrameDomain($server); $this->addTrustedRemote($policy, $server); } } @@ -241,8 +244,7 @@ class Application extends App implements IBootstrap { } private function addTrustedRemote($policy, $url) { - /** @var FederationService $federationService */ - $federationService = \OC::$server->query(FederationService::class); + $federationService = \OC::$server->get(FederationService::class); try { $remoteCollabora = $federationService->getRemoteCollaboraURL($url); $policy->addAllowedFrameDomain($url); |