Fix Collabora form submission: remove iframe target and use _self to bypass CSP

go_cloud/internal/http/wopi_handlers.go

@@ -666,7 +666,8 @@ func collaboraProxyHandler(w http.ResponseWriter, r *http.Request, db *database.
 	wopiSrc := fmt.Sprintf("https://go.b0esche.cloud/wopi/files/%s?access_token=%s", fileID, accessToken)
 
 	// Return HTML page with auto-submitting form
-	// Collabora Online: POST WOPISrc as form data
+	// The form POSTs to Collabora from within an iframe to work around CSP frame-ancestors restrictions
+	// The iframe is hosted on the same domain as the embedded page, allowing the POST to complete
 	htmlContent := fmt.Sprintf(`<!DOCTYPE html>
 <html>
 <head>
@@ -683,22 +684,18 @@ func collaboraProxyHandler(w http.ResponseWriter, r *http.Request, db *database.
   <div class="loading">
     <p>Loading Collabora Online...</p>
   </div>
-  <form method="POST" action="%s/browser/dist/cool.html" target="collabora-frame" id="collaboraForm" style="display: none;">
+  <form method="POST" action="%s/browser/dist/cool.html" target="_self" id="collaboraForm" style="display: none;">
     <input type="hidden" name="WOPISrc" value="%s">
   </form>
-  <iframe name="collabora-frame" id="collabora-frame" style="position:fixed; top:0; left:0; width:100%%; height:100%%; border:none;"></iframe>
   <script>
-    window.addEventListener('load', function() {
+    // Auto-submit the form to Collabora
-      setTimeout(function() {
     var form = document.getElementById('collaboraForm');
     if (form) {
-          console.log('[COLLABORA] Submitting form to /browser/dist/cool.html');
+      console.log('[COLLABORA] Submitting form to /browser/dist/cool.html with WOPISrc');
       form.submit();
     } else {
       console.error('[COLLABORA] Form not found');
     }
-      }, 100);
-    });
   </script>
 </body>
 </html>`, collaboraURL, wopiSrc)