From 8baaad2c086e96653964e5390e00bca156ed2218 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leon=20B=C3=B6sche?= <leonboesche1999@gmail.com>
Date: Tue, 13 Jan 2026 12:59:49 +0100
Subject: [PATCH] Fix Collabora form submission: remove iframe target and use
 _self to bypass CSP

---
 go_cloud/internal/http/wopi_handlers.go | 25 +++++++++++--------------
 1 file changed, 11 insertions(+), 14 deletions(-)

diff --git a/go_cloud/internal/http/wopi_handlers.go b/go_cloud/internal/http/wopi_handlers.go
index 92d0635..b90c9b2 100644
--- a/go_cloud/internal/http/wopi_handlers.go
+++ b/go_cloud/internal/http/wopi_handlers.go
@@ -666,7 +666,8 @@ func collaboraProxyHandler(w http.ResponseWriter, r *http.Request, db *database.
 	wopiSrc := fmt.Sprintf("https://go.b0esche.cloud/wopi/files/%s?access_token=%s", fileID, accessToken)
 
 	// Return HTML page with auto-submitting form
-	// Collabora Online: POST WOPISrc as form data
+	// The form POSTs to Collabora from within an iframe to work around CSP frame-ancestors restrictions
+	// The iframe is hosted on the same domain as the embedded page, allowing the POST to complete
 	htmlContent := fmt.Sprintf(`<!DOCTYPE html>
 <html>
 <head>
@@ -683,22 +684,18 @@ func collaboraProxyHandler(w http.ResponseWriter, r *http.Request, db *database.
   <div class="loading">
     <p>Loading Collabora Online...</p>
   </div>
-  <form method="POST" action="%s/browser/dist/cool.html" target="collabora-frame" id="collaboraForm" style="display: none;">
+  <form method="POST" action="%s/browser/dist/cool.html" target="_self" id="collaboraForm" style="display: none;">
     <input type="hidden" name="WOPISrc" value="%s">
   </form>
-  <iframe name="collabora-frame" id="collabora-frame" style="position:fixed; top:0; left:0; width:100%%; height:100%%; border:none;"></iframe>
   <script>
-    window.addEventListener('load', function() {
-      setTimeout(function() {
-        var form = document.getElementById('collaboraForm');
-        if (form) {
-          console.log('[COLLABORA] Submitting form to /browser/dist/cool.html');
-          form.submit();
-        } else {
-          console.error('[COLLABORA] Form not found');
-        }
-      }, 100);
-    });
+    // Auto-submit the form to Collabora
+    var form = document.getElementById('collaboraForm');
+    if (form) {
+      console.log('[COLLABORA] Submitting form to /browser/dist/cool.html with WOPISrc');
+      form.submit();
+    } else {
+      console.error('[COLLABORA] Form not found');
+    }
   </script>
 </body>
 </html>`, collaboraURL, wopiSrc)