Univention Bugzilla – Bug 53161
do not open Apps in IFrames by default
Last modified: 2021-05-25 16:03:13 CEST
Created attachment 10702 [details] portal when external app cannot be loaded UCS 5, with nextcloud app installed on primary dc. On a replica dc, the default portal shows the nextcloud entry in the 'Applications' section (internal category name: domain-service). When clicking on the nextcloud entry, the app does not load. Instead the browser shows a generic error in the iframe: '$fqdn hat die Verbindung abgelehnt' or '... has rejected/refused the connection' The browser console shows: Refused to frame 'https://$fqdn/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'". See screenshot how it looks in the browser.
In my tests Nextcloud (and most probably various other apps) doesn't allow to be openend in an IFrame at all. We should change the default for 3rd party Apps, they should be opened in a new browser tab.
*** Bug 53206 has been marked as a duplicate of this bug. ***
Bug#53206 explains how we would approach that: Apps can decide whether they want to be opened in an iframe. Nextcloud would opt-out.
This is now how it works: Add WebInterfaceLinkTarget=newwindow to the App's ini file. Possible is "newwindow" (new tab), "samewindow" (would replace portal...), "embedded" (iframe), "useportaldefault" (use... portal default). Technically, this UCR variable is set: ucr set ucs/web/overview/entries/service/$app/link-target=newwindow which then triggers the create_portal_entries UCR module. What now? We go over the Apps and verify that iframe is possible. If not, we set the ini variable to "newwindow". If we fail to catch all, we can still do it later. As soon as the App Center module is opened, an updated WebInterfaceLinkTarget on an installed App would immediately change the portal entry. The default is "useportaldefault" in which case the UCR variable is not set at all. This gives an admin the chance to set it manually, in case they don't want to wait for us to fix the App. (while ucr set --force gives them even more power) App Provider Portal is not touched, i.e. you would need to add it at the "Advanced" widget at the moment. Update from 4.4 to 5.0 should work as expected, because we do a "univention-app register --app" in postup.sh. I.e., an already installed Nextcloud would get a "linkTarget=newwindow" without any further actions. [5.0-0 1bc645f5dc] Bug #53161: Apps may now specify how the link of their portal tile is created (newwindow, embedded, ...) 4 files changed, 21 insertions(+) Package: univention-appcenter Version: 9.0.2-39A~5.0.0.202105042358
(In reply to Dirk Wiesenthal from comment #4) > This is now how it works: Add > > WebInterfaceLinkTarget=newwindow > > to the App's ini file. > > Possible is "newwindow" (new tab), "samewindow" (would replace portal...), > "embedded" (iframe), "useportaldefault" (use... portal default). > > Technically, this UCR variable is set: > > ucr set ucs/web/overview/entries/service/$app/link-target=newwindow > > which then triggers the create_portal_entries UCR module. > > What now? We go over the Apps and verify that iframe is possible. If not, we > set the ini variable to "newwindow". If we fail to catch all, we can still > do it later. As soon as the App Center module is opened, an updated > WebInterfaceLinkTarget on an installed App would immediately change the > portal entry. > > The default is "useportaldefault" in which case the UCR variable is not set > at all. This gives an admin the chance to set it manually, in case they > don't want to wait for us to fix the App. (while ucr set --force gives them > even more power) > > App Provider Portal is not touched, i.e. you would need to add it at the > "Advanced" widget at the moment. > > Update from 4.4 to 5.0 should work as expected, because we do a > "univention-app register --app" in postup.sh. I.e., an already installed > Nextcloud would get a "linkTarget=newwindow" without any further actions. > > [5.0-0 1bc645f5dc] Bug #53161: Apps may now specify how the link of their > portal tile is created (newwindow, embedded, ...) > 4 files changed, 21 insertions(+) > > Package: univention-appcenter > Version: 9.0.2-39A~5.0.0.202105042358 What is the "useportaldefault", in my tests it was still "embedded", if so, is this the best option? Because then we would have to check the "iframe" compatibility for every app we want to release with UCS 5 (we need at least a bug for that, so we dont forget)
(In reply to Felix Botner from comment #5) > What is the "useportaldefault", in my tests it was still "embedded", if so, > is this the best option? Because then we would have to check the "iframe" > compatibility for every app we want to release with UCS 5 (we need at least > a bug for that, so we dont forget) As discussed, we will double check all Apps before release, the code works as it is meant to work.
(In reply to Dirk Wiesenthal from comment #6) > (In reply to Felix Botner from comment #5) > > What is the "useportaldefault", in my tests it was still "embedded", if so, > > is this the best option? Because then we would have to check the "iframe" > > compatibility for every app we want to release with UCS 5 (we need at least > > a bug for that, so we dont forget) > > As discussed, we will double check all Apps before release, the code works > as it is meant to work. OK, Felix is also OK with this. OK: new app ini attribute OK: changelog entry
Better safe than sorry: As discussed, we will change the behaviour: * Apps will be default be opened without iframes * UMC modules will be opened in iframes * Portal default will be iframes, BUT: updated portals will have "newwindow"
e5eff4c7 · Bug #53161: More conservative iframe approach in App Center 3bfd353c · Bug #53161: More conservative iframe approach in portal
OK: new defaults
UCS 5.0 has been released: https://docs.software-univention.de/release-notes-5.0-0-en.html https://docs.software-univention.de/release-notes-5.0-0-de.html If this error occurs again, please use "Clone This Bug".