Nextcloud 19 Server: Allow iframe / embedding from external Domains

If you host your own Nextcloud server and you try to embed some of your content via an iframe, like a shared public link of a folder, you will notice that it doesn't work. There are some forum topics available but most of them focus on old Nextcloud server versions and don't work anymore. Thus, I solved the problem after collecting useful information and tested the solution for the current Nextcloud 19 version, briefly described in this blog post.

The Problem

When you try to embed a link to a Nextcloud instance in a website it doesn't work on external websites. Chromium related browsers will show nothing, while Firefox gives you an error message:

Firefox Can't Open This Page

To protect your security, XXX will not allow Firefox to display the page if another site has embedded it. To see this page, you need to open it in a new window.
Firefox Error

The Solution

In more detail, the problem exists because Nextcloud blocks the embed process for external sites. You can solve the problem if you are the administrator of the Nextcloud instance. It doesn't matter if the installation is made with the command line, docker or directly on a shared hosting. You don't need access to the site that embeds the content of the cloud.

In most of the cases, changing line 88 - 91 of the /lib/public/AppFramework/Http/ContentSecurityPolicy.php file of the Nextcloud server solves the problem. Just add the domains you want to allow to the $allowedFrameAncestors array:

/** @var array Domains which can embed this Nextcloud instance */
protected $allowedFrameAncestors = [
	'\'self\'',
	'your-embed-allow-domain.com'
];

Some people suggest changing the $allowedFrameDomains array in line 79 of the same file, too, but this shouldn't be relevant due to the other direction of the embed process:

/** @var array Domains from which iframes can be loaded */
protected $allowedFrameDomains = [
    'another-domain.com'
];

Furthermore, if this doesn't work in all of the cases, try to uncomment line 102 of the /lib/private/legacy/OC_Response.php file by adding // before the header:

// header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains

Sidenote: In older Nextcloud version the file is called response.php.

Disabling the X-Frame-Option could result in security risks because every site could embed your cloud. To be a bit more secure, just add the domains or subdomains you want to allow. As stated in this StackOverflow question and answer, it is suggested to use the Content-Security-Policy instead but there are still some problems with our good old friend, the Internet Explorer. To allow, for example return2.net and all its subdomains to embed your cloud, simply replace line 102 of the OC_Repsonse.php file with:

header('X-Frame-Options: ALLOW-FROM https://return2.net');
header('X-Content-Security-Policy: frame-ancestors https://*.return2.net');
header('Content-Security-Policy: frame-ancestors https://*.return2.net');

That's it! Now you should be able to embed Nextcloud in other websites. Perhaps a restart of your webserver (apache / nginx) will solve some emerging problems.