timeline are not displayed in iframe

[RoundAboutWEB]

Steps to reproduce

1. Form embeded as iframe: <iframe title="Supporttermin vereinbaren" src="https://nextcloud.roundaboutweb.info/index.php/apps/calendar/appointment/iazNwtwoX9kH" width="100%" height="700" frameborder="1"></iframe>

2. set external Domain as "allowedFrameAncestors" in: lib/public/AppFramework/Http/ContentSecurityPolicy.php

        /** @var array Domains which can embed this Nextcloud instance */
        protected $allowedFrameAncestors = [
                '\'self\'',
                'www.roundaboutweb.net',
        ];

Expected behavior

Form page with free appointments should be displayed (please select date 2022-08-16). Without iframe: https://nextcloud.roundaboutweb.info/index.php/apps/calendar/appointment/iazNwtwoX9kH

Actual behaviour

Only the form page without appointments is displayed (please select date 2022-08-16): With iframe: https://www.roundaboutweb.net/support-2/

Calendar app version

3.4.2 (newest)

CalDAV-clients used

No response

Browser

every one

Client operating system

Linux

Server operating system

Linux

Web server

Apache

Database engine version

MySQL

PHP engine version

PHP 8.0

Nextcloud version

24.0.3

Updated from an older installed version or fresh install

Updated from an older version

List of activated apps

- accessibility: 1.10.0
  - activity: 2.16.0
  - appointments: 1.12.7
  - calendar: 3.4.2
  - circles: 24.0.0
  - cloud_federation_api: 1.7.0
  - comments: 1.14.0
  - contacts: 4.2.0
  - contactsinteraction: 1.5.0
  - dashboard: 7.4.0
  - dav: 1.22.0
  - deck: 1.7.1
  - drawio: 1.0.3
  - federatedfilesharing: 1.14.0
  - federation: 1.14.0
  - files: 1.19.0
  - files_external: 1.16.1
  - files_mindmap: 0.0.26
  - files_pdfviewer: 2.5.0
  - files_rightclick: 1.3.0
  - files_sharing: 1.16.2
  - files_trashbin: 1.14.0
  - files_versions: 1.17.0
  - files_videoplayer: 1.13.0
  - firstrunwizard: 2.13.0
  - groupfolders: 12.0.1
  - logreader: 2.9.0
  - lookup_server_connector: 1.12.0
  - mail: 1.13.7
  - news: 18.1.0
  - nextcloud_announcements: 1.13.0
  - notifications: 2.12.0
  - oauth2: 1.12.0
  - onlyoffice: 7.5.2
  - passwords: 2022.6.20
  - photos: 1.6.0
  - polls: 3.7.0
  - privacy: 1.8.0
  - provisioning_api: 1.14.0
  - recommendations: 1.3.0
  - serverinfo: 1.14.0
  - settings: 1.6.0
  - sharebymail: 1.14.0
  - spreed: 14.0.3
  - support: 1.7.0
  - survey_client: 1.12.0
  - systemtags: 1.14.0
  - tasks: 0.14.4
  - text: 3.5.1
  - theming: 1.15.0
  - timemanager: 0.3.2
  - timetracker: 0.0.75
  - twofactor_backupcodes: 1.13.0
  - updatenotification: 1.14.0
  - user_status: 1.4.0
  - viewer: 1.8.0
  - weather_status: 1.4.0
  - workflowengine: 2.6.0

Nextcloud configuration

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nextcloud.roundaboutweb.info",
            "nextcloud.roundaboutweb.net"
        ],
        "default_phone_region": "DE",
        "default_language": "de",
        "default_locale": "de_DE",
        "skeletondirectory": "",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/nextcloud.roundaboutweb.info",
        "dbtype": "mysql",
        "version": "24.0.3.2",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "maintenance": false,
        "theme": "",
        "loglevel": 0,
        "integrity.check.disabled": true,
        "filelocking.enabled": true,
        "updater.release.channel": "stable",
        "memcache.local": "",
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "app_install_overwrite": [
            "calendar",
            "spreedme",
            "drawio",
            "appointments",
            "deck",
            "spreed",
            "timetracker",
            "timemanager",
            "groupfolders",
            "registration",
            "onlyoffice"
        ],
        "mysql.utf8mb4": true
    }
}

Web server error log

No response

Log file

No response

Browser log

No response

Additional info

No response

[tcitworld]

Please post browser logs as requested.

[RoundAboutWEB]

You can test it on your own: https://www.roundaboutweb.net/support-2/

[tcitworld]

There's a CSRF check on the endpoint to fetch slots. Not sure if it's intended or not (maybe for privacy issues) ?

In any case, the fix should just be the following:

	/**
	 * @NoAdminRequired
+	 * @NoCSRFRequired
	 * @PublicPage
	 *

https://github.com/nextcloud/calendar/blob/39f437f112f2c557238bdd5096e9d045f36e0da5/lib/Controller/BookingController.php#L92-L95

[nzambello]

* @NoCSRFRequired

Is there any reason this didn't become or should not become a PR? I was trying accessing appointments via REST API but this blocked me.

[RoundAboutWEB]

Unfortunately, the problem is still not fixed and I don't understand why the date is displayed in the iFrame and the timeline is not. In the meantime, I used the Appointments app, because it works with it.