b0esche/b0esche_cloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix Collabora WOPI: Put WOPISrc in URL query param, not form body

Browse Source
This commit is contained in:
Leon Bösche
2026-01-13 14:50:24 +01:00
parent 634aa521bd
commit 70039a8288
1 changed files with 12 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
go_cloud/internal/http/wopi_handlers.go
View File

@@ -6,8 +6,7 @@ import (
"fmt"
"io"
"net/http"
//"net/url"
"net/url"
"strings"
"sync"
"time"
@@ -752,9 +751,16 @@ func collaboraProxyHandler(w http.ResponseWriter, r *http.Request, db *database.
// Get the correct Collabora editor URL from discovery (includes version hash)
editorURL := getCollaboraEditorURL(collaboraURL)
// URL-encode the WOPISrc for use in the form action URL
encodedWopiSrc := url.QueryEscape(wopiSrc)
// Build the full Collabora URL with WOPISrc as query parameter
// Collabora expects: cool.html?WOPISrc=<encoded-url>
collaboraFullURL := fmt.Sprintf("%s?WOPISrc=%s", editorURL, encodedWopiSrc)
// Return HTML page with auto-submitting form
// The form POSTs to Collabora from within an iframe to work around CSP frame-ancestors restrictions
// The iframe is hosted on the same domain as the embedded page, allowing the POST to complete
// The form POSTs to Collabora with access_token in the body
// WOPISrc must be in the URL as a query parameter
htmlContent := fmt.Sprintf(`<!DOCTYPE html>
<html>
<head>
@@ -772,7 +778,6 @@ func collaboraProxyHandler(w http.ResponseWriter, r *http.Request, db *database.
<p>Loading Collabora Online...</p>
</div>
<form method="POST" action="%s" target="_self" id="collaboraForm" style="display: none;">
<input type="hidden" name="WOPISrc" value="%s">
<input type="hidden" name="access_token" value="%s">
</form>
<script>
@@ -786,12 +791,12 @@ func collaboraProxyHandler(w http.ResponseWriter, r *http.Request, db *database.
}
</script>
</body>
</html>`, editorURL, wopiSrc, accessToken, editorURL)
</html>`, collaboraFullURL, accessToken, collaboraFullURL)
w.Header().Set("Content-Type", "text/html; charset=utf-8")
// Don't set X-Frame-Options - this endpoint is meant to be loaded in an iframe
w.WriteHeader(http.StatusOK)
w.Write([]byte(htmlContent))
fmt.Printf("[COLLABORA-PROXY] Served HTML form: file=%s user=%s wopi_src=%s editor_url=%s\n", fileID, userID.String(), wopiSrc, editorURL)
fmt.Printf("[COLLABORA-PROXY] Served HTML form: file=%s user=%s wopi_src=%s editor_url=%s\n", fileID, userID.String(), wopiSrc, collaboraFullURL)
}