richdocuments icon indicating copy to clipboard operation
richdocuments copied to clipboard
verified publisher icon nextcloud

Cross-Origin-Opener-Policy breaks other nextcloud apps

Open droogi opened this issue 1 year ago • 11 comments

Describe the bug enabling Nextcloud Office breaks other nextcloud apps

To Reproduce Steps to reproduce the behavior:

  1. Enable Nextcloud Office 8.5.1
  2. Click on maps or memories
  3. maps: tiles are not loaded, memories: preview is not displayed, pictures are not loaded

Expected behavior Other nextcloud apps should work

Screenshots

  • e.g no preview in memories Image

  • e.g no tiles in maps

Image

Client details:

  • OS: windows 11, android, android memories app
  • Firefox 131, Edge 129
  • Device: desktop, android, nextcloud apps

Server details

Operating system: dietpi 9.7

Web server: nginx 1.22.1

Database: MariaDB

PHP version: PHP 8.2.24

Nextcloud version: 29 & 30

Version of the richdocuments app: Nextcloud Office 8.5.1

Browser log

mistakes:

    The source list for the Content Security Policy directive 'connect-src' contains an invalid source: '://'. It will be ignored.

    c.tile.openstreetmap.org/11/1086/692.png:1

        GET https://c.tile.openstreetmap.org/11/1086/692.png net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 200 (OK)

Hit F12 to open developer tools, switch to Network tab, reload page with F5. At the top of the request list, select maps/, then select "Headers" tab in the newly opened frame.

Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener Policy: same-origin

Discovery and possible root cause

discovery possible root cause with explanation by MichaIng same? failure was mentioned [here] (https://github.com/nextcloud/richdocuments/pull/3260)

droogi avatar Oct 08 '24 19:10 droogi

@juliusknorr could you please have a look at this issue?

droogi avatar Oct 27 '24 07:10 droogi

Any update on this issue? It's preventing me from updating past NC 28. I thought there was something wrong with my install but I was able to confirm I'm experiencing this problem.

kstorbakken avatar Nov 19 '24 05:11 kstorbakken

I have an issue where Memories works fine except for public share links for albums.

When an album is viewed via a public share link (by unregistered/not-logged-in users), the thumbnail previews don't show. A placeholder is shown instead. When a thumbnail is clicked, a bigger placeholder shows. When the bigger placeholder is clicked, the image loads correctly.

This only happens on public share links. The same album shows fine, previews and all, from within the Memories app, as does every other picture.

This problem ONLY happens if the Nextcloud Office app is enabled. If I disable Office, and immediately refresh a logged-out tab showing a public-link album, the thumbnails show up straight away. If I then re-enable the Office app, and again immediately refresh the public link album tab, the thumbnails don't load.

The browser console shows 500 errors when trying to access the thumbnails.

This suggests the Office app is doing something to interfere with how Memories handles public link thumbnails and images. I applied the fix referenced here by @tcitworld but it didn't help.

dinosmm avatar Dec 10 '24 19:12 dinosmm

This issue is also preventing the mail app of showing embedded html mails.

https://github.com/nextcloud/mail/issues/10317#issuecomment-2582693687

muchachagrande avatar Jan 10 '25 14:01 muchachagrande

This is the second time, this issue has given me some headache, and I finally found out that Nextcloud Office is the culprit! :D

For me, the issue is Nextcloud Maps too, which doesn’t work now because of this app’s COEP policy. The setting credentialless sounds like a good compromise for this, though Safari lacking support probably raises the issue. (credentialless allows in the long run also for some better error messages, probably, because the collabora server could inform the app, that no credentials were given, so probably some CSP settings would have to be adjusted!)

Anyway, in this current situation this probably doesn’t work that well except if going for UA-detection (which I think we don’t want to do). Your current PR also seems to fix the issue, is there any chance this could be fixed soon? :)

EDIT: Okay, after looking into it, disabling WASM in collabora restores all functionality! Well, I guess, that’s a workaround then. :)

Elsensee avatar Mar 04 '25 14:03 Elsensee

I ended up updating from NC 28 to NC 30 and leaving the Office app disabled for now. I tried disabling WASM in my Collabora container and confirmed it by visiting the /hosting/capabilities page. It unfortunately had no effect for me.

kstorbakken avatar Mar 14 '25 01:03 kstorbakken

Disabling office apps for now also solved it for me. Need to find a way to get office back without clashing with oher NC apps.

chrsch avatar Mar 23 '25 10:03 chrsch

As I told on other thread, adding cross-origin-embedder-policy require-corp to .htaccess has solved NS_ERROR_DOM_COEP_FAILED for me.

muchachagrande avatar Mar 23 '25 16:03 muchachagrande

CSP, CORS, COEP etc headers should be generally set/changed for the individual pages used by an app, never globally.

MichaIng avatar Jun 02 '25 20:06 MichaIng

I agree, but as workaround I had to set them globally until the apps get fixed. I'm having more than one problem with different apps and this workaround solve them.

muchachagrande avatar Jun 02 '25 23:06 muchachagrande

I mean Nextcloud Office (any Nextcloud app) should set these headers only for its very own specific pages/URLs. Until this has been solved, indeed you have no other good chance than overriding the headers Nextcloud Office sets via webserver config.

MichaIng avatar Jun 02 '25 23:06 MichaIng