From 09f1fac2be0b4e5b2106c1d8ac33108955e42263 Mon Sep 17 00:00:00 2001 From: Simon Hammes Date: Fri, 15 May 2026 11:14:50 +0200 Subject: [PATCH 1/4] ALLOWALL is not a valid value for the X-Frame-Options header Source: https://stackoverflow.com/questions/44436659/change-the-x-frame-options-to-allow-all-domains#comment103878548_50840793 --- compose/seatable-server.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/compose/seatable-server.yml b/compose/seatable-server.yml index 4153782..f0fb87f 100644 --- a/compose/seatable-server.yml +++ b/compose/seatable-server.yml @@ -81,22 +81,16 @@ services: `" # Allow iframes for some directories caddy_0.route_0: /dtable/view-external-links/* - caddy_0.route_0.header.X-Frame-Options: "ALLOWALL" caddy_0.route_0.header.-Content-Security-Policy: "" caddy_0.route_1: /dtable/external-links/* - caddy_0.route_1.header.X-Frame-Options: "ALLOWALL" caddy_0.route_1.header.-Content-Security-Policy: "" caddy_0.route_2: /dtable/external-apps/* - caddy_0.route_2.header.X-Frame-Options: "ALLOWALL" caddy_0.route_2.header.-Content-Security-Policy: "" caddy_0.route_3: /dtable/forms/* - caddy_0.route_3.header.X-Frame-Options: "ALLOWALL" caddy_0.route_3.header.-Content-Security-Policy: "" caddy_0.route_4: /apps/custom/* - caddy_0.route_4.header.X-Frame-Options: "ALLOWALL" caddy_0.route_4.header.-Content-Security-Policy: "" caddy_0.route_5: /external-apps/* - caddy_0.route_5.header.X-Frame-Options: "ALLOWALL" caddy_0.route_5.header.-Content-Security-Policy: "" caddy_1: ":80" From 18706d0ff7d16124eaef786c99fd6c5d0e89a99e Mon Sep 17 00:00:00 2001 From: Simon Hammes Date: Fri, 15 May 2026 13:06:56 +0200 Subject: [PATCH 2/4] Remove default CSP settings for /dtable/external-apps-edit/* This is required in order to preview AI-generated HTML pages --- compose/seatable-server.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/compose/seatable-server.yml b/compose/seatable-server.yml index f0fb87f..82dedaa 100644 --- a/compose/seatable-server.yml +++ b/compose/seatable-server.yml @@ -92,6 +92,8 @@ services: caddy_0.route_4.header.-Content-Security-Policy: "" caddy_0.route_5: /external-apps/* caddy_0.route_5.header.-Content-Security-Policy: "" + caddy_0.route_6: /dtable/external-apps-edit/* + caddy_0.route_6.header.-Content-Security-Policy: "" caddy_1: ":80" caddy_1.@http.protocol: "http" From dd8e3ee0b33a296a876e5d6e0edb2f28ca42d6b5 Mon Sep 17 00:00:00 2001 From: Simon Hammes Date: Mon, 18 May 2026 17:01:00 +0200 Subject: [PATCH 3/4] Introduce COLLABORA_HOSTNAME variable This will allow configuring the CSP header without directly modifying seatable-server.yml in case Collabora is deployed on a separate domain. --- compose/seatable-server.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/compose/seatable-server.yml b/compose/seatable-server.yml index 82dedaa..a986618 100644 --- a/compose/seatable-server.yml +++ b/compose/seatable-server.yml @@ -70,9 +70,9 @@ services: font-src 'self' data: unpkg.com ${SEATABLE_SERVER_HOSTNAME}:${TLDRAW_PORT:-6239} fonts.gstatic.com; img-src 'self' data: blob: https: market.seatable.io market.seatable.com mt0.google.com maps.googleapis.com maps.gstatic.com; media-src 'self'; - form-action 'self' ${SEATABLE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232}; + form-action 'self' ${SEATABLE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232} ${COLLABORA_HOSTNAME:-}; connect-src 'self' market.seatable.io market.seatable.com https: ws: blob: data:; - frame-src 'self' ${SEATABLE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232} ${SEATABLE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233}; + frame-src 'self' ${SEATABLE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232} ${COLLABORA_HOSTNAME:-} ${SEATABLE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233}; frame-ancestors 'self'; worker-src 'self' blob:; manifest-src 'self'; From 133b6fd153dfc6361b6bea46fbc2bbb445978612 Mon Sep 17 00:00:00 2001 From: Simon Hammes Date: Mon, 18 May 2026 17:32:32 +0200 Subject: [PATCH 4/4] Introduce ONLYOFFICE_HOSTNAME variable This will allow configuring the CSP header without directly modifying seatable-server.yml in case OnlyOffice is deployed on a separate domain. --- compose/seatable-server.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/compose/seatable-server.yml b/compose/seatable-server.yml index a986618..6eea84f 100644 --- a/compose/seatable-server.yml +++ b/compose/seatable-server.yml @@ -66,13 +66,13 @@ services: default-src 'none'; style-src 'unsafe-inline' 'self' fonts.googleapis.com; script-src 'unsafe-inline' 'unsafe-eval' 'self'; - script-src-elem 'unsafe-inline' 'self' ${SEATABLE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233} maps.googleapis.com unpkg.com; + script-src-elem 'unsafe-inline' 'self' ${SEATABLE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233} ${ONLYOFFICE_HOSTNAME:-} maps.googleapis.com unpkg.com; font-src 'self' data: unpkg.com ${SEATABLE_SERVER_HOSTNAME}:${TLDRAW_PORT:-6239} fonts.gstatic.com; img-src 'self' data: blob: https: market.seatable.io market.seatable.com mt0.google.com maps.googleapis.com maps.gstatic.com; media-src 'self'; form-action 'self' ${SEATABLE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232} ${COLLABORA_HOSTNAME:-}; connect-src 'self' market.seatable.io market.seatable.com https: ws: blob: data:; - frame-src 'self' ${SEATABLE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232} ${COLLABORA_HOSTNAME:-} ${SEATABLE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233}; + frame-src 'self' ${SEATABLE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232} ${COLLABORA_HOSTNAME:-} ${SEATABLE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233} ${ONLYOFFICE_HOSTNAME:-}; frame-ancestors 'self'; worker-src 'self' blob:; manifest-src 'self';