I am using Nextcloud (on Nginx) for a while now and I want to iframe it for another website. However the header does not accept my directives.
I changed the header option in /var/www/nextcloud/lib/private/legacy/response.php into the following:
header('X-Frame-Options: ALLOW-FROM https://example.com');
However when I make an example webpage with an iframe it gives me the following error:
Invalid 'X-Frame-Options' header encountered when loading 'https://nextcloud.example.com/apps/files/': 'ALLOW-FROM https://example.com' is not a recognized directive. The header will be ignored.
Does anyone have an idea why this does not work?
allow-from
is 'obsolete'. You can use the Content-Security-Policy
header instead:
header('Content-Security-Policy: frame-ancestors https://example.com');