Public calendar iframe has issues on some browsers

[tcitworld]

OS	Linux	Windows
Firefox	Works	Works
Chrome 54	Displays the grid, not the events. When refreshed, redirect issue.	Displays the grid, not the events. When refreshed, redirect issue.
Chromium 53	Works	Not tested
Chromium 54	Not tested	Displays the grid, not the events. When refreshed, redirect issue.
Edge	Not available	Works
IE 12	Not available	Displays the grid, not the events

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[tcitworld]

@georgehrke Can you test on Safari ?

[tcitworld]

The Chrome error is ERR_TOO_MANY_REDIRECTS

[georgehrke]

@tcitworld Do you have some example code for me?
Did you just include the iframe into an otherwise blank html file?

[georgehrke]

ping @tcitworld ^ :)

[tcitworld]

For instance this one works with Firefox and Chromium but not Chrome on Linux : http://www.berrylab36.org/Ouverture

Here it's embeed within SPIP but I've heard of the same issue with a Wordpress. Will try myself.

[georgehrke]

Safari 10 on macOS works just fine for me.

[georgehrke]

I see a few issues here.
To my knowledge there is no X-FRAME-OPTIONS: ALLOW. There is only DENY, SAMEORIGIN and ALLOW-FROM https://...

Further Chrom(e|ium) doesn't support X-Frame-Options.
It expects something like Content-Security-Policy: frame-ancestors my-trusty-site.com
Source: https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet#Preventing_Clickjacking

Also Chrom(e|ium) got more strict about https lately.
Maybe it's related to the fact, the berrylab36.org is http, but framagenda.org is https. (at least when sending requests like PROPFIND or so)

Maybe @LukasReschke has more insights here

[georgehrke]

IE doesn't work for the same reason the calendar app itself doesn't work in Internet explorer.

Should we display some overlay asking the user to use a different webbrowser?

[tcitworld]

I guess this needs some tweaking.

[tcitworld]

Will see how nextcloud/server#1472 handles things.

[enoch85]

I can confirm this. Got redirected to many times Chrome version 56.0.2924.87 (64-bit)

[enoch85]

Maybe my Ǹextcloud is to secure?

Firefox

Load denied by X-Frame-Options: https://cloud.techandme.se/apps/calendar/public/G1ZXEIKC3AGL8X4S does not permit cross-origin framing.

[georgehrke]

Maybe @LukasReschke has more insights here

@LukasReschke ping :)

[georgehrke]

IE doesn't work for the same reason the calendar app itself doesn't work in Internet explorer.
Should we display some overlay asking the user to use a different webbrowser?

At least IE 11 should be fixed by now

[flips]

Seeing the same " redirected you too many times" in both Opera 43.0.2442.1165 and Chrome 57.0.2987.110. In Firefox 52.0.1 only seeing blank iframe. (macOS 10.12, all 64 bit browsers)

[georgehrke]

We don't support Opera. Will definitely look into the Chrome and Firefox issue

[flips]

When I used http://www.tinywebgallery.com/blog/advanced-iframe/free-iframe-checker
it also complained about the X-FRAME-OPTIONS ... (As mentioned previously here)
Placing my test.html file on the same domain as my NextCloud installation, the iFrame started working in Firefox, but not in Safari (10.0.3) or Chrome (where they are now both blank, I don't get the framing or anything, and not the same too many redirects error).

[georgehrke]

This requires changes to the Nextcloud server, to be released with Nextcloud 12.
Rescheduling this ticket to Calendar 1.7.0

[law]

Still seeing this issue on Nextcloud 12 and Chrome. tl; dr - firefox and safari work, Chrome throws a redirect error.

[haug-den-lucas]

Error still exists.
I'd really love to add the iframe to my webpage, but sadly it still doesn't work.
Any fixes or workarounds?

[georgehrke]

@Ich5003 What Browser, Nextcloud version, calendar app version?

[tcitworld]

Thanks to nextcloud/server#11433 we should be good with NC15.

[rullzer]

Yes you should.
Would be good of course if somebody coould setup a test server and test it 😉

[tcitworld]

@rullzer I tested and we're still blocked by https://github.com/nextcloud/server/blob/master/lib/private/AppFramework/Middleware/Security/SameSiteCookieMiddleware.php#L60-L61 which triggers 302s for every request.

[rullzer]

Ah ok. So the check I had in mind doesn't fully work. As that would with the current logic log you out of your nextcloud if you embed a page.

Thinking more this would need a few adjustments

1. calendar endpoint must of course be marked with @NoSameSiteCookieRequired
2. The css and js endpoint should be marked as such I don't think this hurts as this is public info anyway
3. The theming endpoints should be marked as such. Also should not be that much of an issue as they just serve generic theming info

[tcitworld]

Works perfectly ! Will send PRs. :)

[FredMa01]

Same issue. Embed code generate this error :`

The page is not redirected correctly
An error occurred while connecting to framagenda.org.
The cause of this problem can be the deactivation or refusal of cookies.

[fpoulain]

Using the embed link on a recent NC 18, I am receiving

Content-Security-Policy: ... 'self';frame-ancestors 'self'; ...

Consequently Firefox block the content loading, even from a parent domain (X-Frame-Option is ignored when CSP is defined). Afaik there is no option in NC to define a « trusted embeder ». Moreover, may be the embed link should allow anyone to embed.

I overcame the situation by munging Content-Security-Policy by this kludge on my reverse proxy:

       location / {
               proxy_pass http://xxx.xxx.xxx.xxx;
               location /nextcloud/apps/calendar/embed/ {
                       proxy_pass http://xx.xx.xx.xx;
                       proxy_hide_header Content-Security-Policy;
                       add_header Content-Security-Policy "frame-ancestors 'self' https://ourwebsite.com https://www.ourwebsite.com";
               }
       }

[rullzer]

A fixis already in master. and will be in the next release.
CC: @georgehrke

[nd-]

Hello, NC 18.0.6 and I still have this problem.
Is it supposed to be fixed with the latest releases ?

I even added the headers mentionned by @fpoulain (Content-Security-Policy "frame-ancestors 'self' https://ourwebsite.com") but nada...

[nderambure]

Same here.

[georgehrke]

It should work on Nextcloud 19. There are known issues with Nextcloud 18 and below.

[nd-]

I updated to NC 19 (on the beta channel), it still doesn't work.

With Chrome, I still see these errors in the console coming from the calendar url when I browse the page with an iframe:
Failed to load resource: the server responded with a status of 503 (Service Unavailable)
Failed to load resource: net::ERR_TOO_MANY_REDIRECTS

[gelmio]

It should work on Nextcloud 19. There are known issues with Nextcloud 18 and below.

We updated to NC19 and still have the same issue; firefox requests still returning a 503; chrome is fine.

[ashnansen]

There are also a problem with embeding it in wordpress