How to fix NextCloud OnlyOffice MixedContent or 'Refused to frame 'http://...' because it violates the following Content Security Policy directive: "frame-src https://...".

Problem:

In reverse-proxy setups forwarding requests to OnlyOffice like our reference setup there you might encounter issues like

onlyoffice_frame_error.txt

Refused to frame 'http://onlyoffice.mydomain.com/' because it violates the following Content Security Policy directive: "frame-src https://onlyoffice.mydomain.com/".

Refused to frame 'http://onlyoffice.mydomain.com/' because it violates the following Content Security Policy directive: "frame-src https://onlyoffice.mydomain.com/".

Solution

Just add

onlyoffice-proxy.conf

proxy_set_header X-Forwarded-Proto $scheme;

proxy_set_header X-Forwarded-Proto $scheme;

directly after your proxy_pass clause in your nginx config, then run sudo service nginx reload.

The reason for this issue is that OnlyOfficethinks it’s being loaded using HTTP, but the Nextcloud page prevents insecure content from being loaded.

Using a proxy other than nginx? Just ensure that every proxied request (i.e. every request directed towards the OnlyOffice instance) has the X-Forwarded-Proto header set to the protocol of the original request - which should be https.

Check out similar posts by category: Nextcloud, Nginx

If this post helped you, please consider buying me a coffee or donating via PayPal to support research & publishing of new posts on TechOverflow

Buy me a coffee